EDPACS: The EDP Audit, Control, and Security Newsletter

This article was downloaded by: [UQ Library]
On: 10 November 2014, At: 19:30

Publisher: Taylor & Francis
Informa Ltd Registered in England and Wales Registered Number: 1072954 Registered office: Mortimer House,
37-41 Mortimer Street, London W1T 3JH, UK
EDPACS: The EDP Audit, Control, and Security

Newsletter
Publication details, including instructions for authors and subscription information:
http://www.tandfonline.com/loi/uedp20
SMEs and Cybersecurity Threats in E-Commerce

Kunal Sharma , Amarjeet Singh & Ved Prakash Sharma
Published online: 06 Aug 2009.
To cite this article: Kunal Sharma , Amarjeet Singh & Ved Prakash Sharma (2009) SMEs and Cybersecurity Threats in E-
Commerce, EDPACS: The EDP Audit, Control, and Security Newsletter, 39:5-6, 1-49, DOI: 10.1080/07366980903132740
To link to this article: http://dx.doi.org/10.1080/07366980903132740
PLEASE SCROLL DOWN FOR ARTICLE
Taylor & Francis makes every effort to ensure the accuracy of all the information (the “Content”) contained
in the publications on our platform. However, Taylor & Francis, our agents, and our licensors make no
representations or warranties whatsoever as to the accuracy, completeness, or suitability for any purpose of the
Content. Any opinions and views expressed in this publication are the opinions and views of the authors, and
are not the views of or endorsed by Taylor & Francis. The accuracy of the Content should not be relied upon and
should be independently verified with primary sources of information. Taylor and Francis shall not be liable for
any losses, actions, claims, proceedings, demands, costs, expenses, damages, and other liabilities whatsoever
or howsoever caused arising directly or indirectly in connection with, in relation to or arising out of the use of
the Content.
This article may be used for research, teaching, and private study purposes. Any substantial or systematic
reproduction, redistribution, reselling, loan, sub-licensing, systematic supply, or distribution in any
form to anyone is expressly forbidden. Terms & Conditions of access and use can be found at http://
www.tandfonline.com/page/terms-and-conditions
THE EDP AUDIT,
EDPACS CONTROL, AND SECURITY

NEWSLETTER
MAY–JUNE 2009 VOL. XXXIX, NOS. 5–6
SMES AND CYBERSECURITY

THREATS IN E-COMMERCE
KUNAL SHARMA, AMARJEET SINGH,
AND VED PRAKASH SHARMA
Abstract. This paper provides an overview of the electronic attacks or the
‘‘digital challenges’’ which prospective customers of E-Commerce are likely to
Downloaded by [UQ Library] at 19:30 10 November 2014
encounter while carrying out transactions over the web. The paper provides a
comprehensive coverage of highly specialized electronic attacks that are on
the increase in the electronic environment where SMEs (Small and Medium
Enterprises) dealing in E-Commerce carry out their transactions. It is a
descriptive account of various threats like client/server security threats as
well as cyber identity thefts which have become quite infamous over the years
and is invasive and fastest growing crime all around the world especially the
U.S. The paper draws on a variety of secondary sources both published and
unpublished. Recently the infamous client server attacks like Denial of Service
(DoS) especially Distributed Denial of Service attacks made people aware of
the importance of providing available data and service securely to users.
Cyber security threats like website defacement, phishing, pharming, login
attacks etc. have created a distrustful environment while making it very
hard for small and medium-sized online service providers(SMEs) to compete
with both established online and physically present service providers. It pre-
sents a review of literature developed from secondary sources. Cyber security
threats are of immense concern to online users indulging in E-Commerce,
online service providers, governments, and law enforcement agencies. This
paper provides a useful overview of a scenario of cyber security threats in E-
Commerce in the SME sector; and, from this summary of the present situation,
makes an attempt to enlighten the users about various threats which they can
encounter while carrying out their electronic transactions. An analysis of the
security threats such as this can also assist an organization in formulating an
effective security plan.
E-Commerce transactions over the Web are anonymous as a result

of which a new set of risks arises. According to the Federal Bureau
of Investigation cybercrimes committed with the help of the IN THIS ISSUE
Internet have ‘‘. . .represented the most fundamental challenge
for law enforcement in the 21st century. By its very environment n SMEs and Cybersecurity
Threats in E-Commerce
cyber environment is borderless, affords easy anonymity and
methods of concealment and provides new tools to engage in crim-
inal activity’’ (Armstrong & Forde, 2003, p. 209) as a result of
which E-Commerce firms suffer the most. The growth of the
Editor
Internet has introduced a new category of computer criminals, DAN SWANSON
namely crackers who misuse the Internet, which provides them a
cloak of anonymity (Smith & Rupp, 2002). According to the Federal Editor Emeritus
Reserve Bank of the United States ‘‘electronic payments are on the BELDEN MENKUS, CISA
increase in customer-to-business sector in the business to business
sector over and they are predicted to become more commonplace
in the next decade’’ (Federal Reserve Bank, 2004, p. 234–236). The
E D P A C S MAY–JUNE 2009
proliferation of Information and Communication Technologies

(ICT), especially with the ever increasing growth of the Internet,
has threatened two aspects of individual security, namely identity
and privacy (Thompson, 2002). The technological revolution has
had a dramatic impact on how we do business. With all the benefits,
these changes have brought new risk to our lives. There has been an
exponential growth of E-Commerce across the globe and a large
number of transactions are being carried out over the Internet,
making cyber security important. Trust, privacy, stability, and
customer confidence are vital ingredients for the success of an E-
Commerce firm. Lack of public confidence is a grave barrier to the
adoption of consumer E-Commerce (Clarke, 1999). Applications
such as private e-mail, purchase order processing, transmission
of payment information, and workflow automation would be value-
less without underlying security infrastructure that makes these
exchanges trusted (Ratnasingam, 2002, p. 255). Privacy is now a
hot-debated issue; the flood of media reports about HTTP cookies
has increased public concerns that consumers’ on-line activities are
being watched closely. Fraudsters swindled away $3.6 billion from

U.S. E-Commerce in 2007, raising security concerns (Cyber Source,
2007). The United States was slammed as the biggest source for
cybercrime and malicious activity in E-Commerce all around the
world (CircleID Reporter, 2008). This article addresses the secur-
ity concerns in E-Commerce, especially in the SME (Small and
Medium Enterprise) sector.
CYBERSECURITY IN E-COMMERCE
E-Commerce is defined by Kalakota and Whinston (1999) as
‘‘. . .buying and selling of information, products and services via
computer networks.’’ The World Wide Web (WWW) is the fastest
growing part of the Internet with the growth in E-Commerce. The
WWW is also the most susceptible part to be attacked (Rolf, 2002;
Scott & Sharp, 2002; Rao, 2004). The Internet is certainly more
than ever becoming a part of everyone’s daily life. Simple things of
everyday use such as shopping, sharing files, chatting, and work-
ing now happen over the Internet. Consumers prefer to shop and
buy on the Internet for three major reasons—convenience, time-
savings, and comparative shopping (Kalkota & Whinston, 1999)—
but today, the Internet environment is much less friendly and
If you have information of interest to EDPACS, contact Dan Swanson (dswanson_2008@yahoo.ca). EDPACS (Print ISSN 0736-
6981/Online ISSN 1936-1009) is published monthly by Taylor & Francis Group, LLC., 325 Chestnut Street, Suite 800,
Philadelphia, PA 19106. Periodicals postage is paid at Philadelphia, PA and additional mailing offices. Subscription rates: US$
300/£181/E240. Printed in USA. Copyright 2009. EDPACS is a registered trademark owned by Taylor & Francis Group, LLC. All
rights reserved. No part of this newsletter may be reproduced in any form — by microfilm, xerography, or otherwise — or
incorporated into any information retrieval system without the written permission of the copyright owner. Requests to publish
material or to incorporate material into computerized databases or any other electronic form, or for other than individual or
internal distribution, should be addressed to Editorial Services, 325 Chestnut Street, Suite 800, Philadelphia, PA 19106. All
rights, including translation into other languages, reserved by the publisher in the U.S., Great Britain, Mexico, and all countries
participating in the International Copyright Convention and the Pan American Copyright Convention. Authorization to photo-
copy items for internal or personal use, or the personal or internal use of specific clients may be granted by Taylor & Francis,
provided that $20.00 per article photocopied is paid directly to Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA
01923 USA. The fee code for users of the Transactional Reporting Service is ISSN 0736-6981/06/$20.00+$0.00. The fee is
subject to change without notice. For organizations that have been granted a photocopy license by the CCC, a separate system of
payment has been arranged. Product or corporate names may be trademarks or registered trademarks, and are only used for
identification and explanation, without intent to infringe. POSTMASTER: Send address change to EDPACS, Taylor & Francis
Group, LLC., 325 Chestnut Street, Suite 800, Philadelphia, PA 19106.
2 ª Copyright 2009 Taylor & Francis—All rights reserved.

MAY–JUNE 2009 E D P A C S
reliable. It contains precarious situations, malicious crackers, and

risks that one can find in our society as a whole as a result of which
the number of security breaches has escalated more in proportion
to the growth of the Internet as a whole (Rolf, 2002). Since the
Morris or Internet worm, one of the first computer worms distrib-
uted via the Internet (which was written in 1998 by Robert Tappan
Morris, a student from Cornell University), reports of network-
based attacks, such as password sniffing, spoofing, flooding, and
other denial-of-service attacks, as well as exploitations of well-
known bugs and design limitations, have grown dramatically
(Rolf, 2002). The growing availability of affordable personal com-
puters and broadband connectivity, coupled with average users’
poor efforts to secure their operating systems, has further facili-
tated large-scale intrusions, including the remote hijacking of such
systems to launch zombie attacks (Parameswaran, et al. 2007).
Cybercrime on the Internet is being driven by some major factors,
namely ubiquitous Internet; new vulnerabilities such as trojans,
adware, and spyware; new markets for identities; and of course a
profit motive (Steinnon, 2007). Reuvid (2003) too points outs that
network vulnerabilities have become manifold because of ubiqui-

tous access to the Internet, changing levels of trust, internal
attacks, and attack sophistication. Vulnerabilities in assets of
small and medium enterprises are visualized as weaknesses in
assets (or deficiency of) security procedures, technical, or physical
controls that could be exploited by security threats to harm or
predispose assets to harm.
Potentially there are numerous reasons for the growth in secur-
ity attacks; but one trend that is undeniable is the growth in the
number and sophistication of cracking tools (Reuvid, 2003). Thus,
cybersecurity becomes one of the biggest issues we face today. With
the growing reliance of business organizations on information net-
works, the security aspects of such networks is becoming neces-
sary, particularly with the surfacing of E-Commerce over
Intranets, Extranets, and the Internet. The high levels of connec-
tivity offered by the Internet have raised many new concerns about
information security: Internet users are not only potential custo-
mers or suppliers; they are also potential security threats (Doherty
& Fulford, 2005). SMEs embracing E-Commerce feel the pressure
to expose the entire lines of business to a range of users: the inter-
nal employees, partners on the Extranet, and the customers. Since
the population of potential users will inevitably include some
destructive individuals, SMEs should take serious prevention mea-
sures to protect their information assets. While technology seems
to provide sufficient safeguards, such as digital signatures, encryp-
tion, Web seal assurances, and standards that provide technology-
based security and trust mechanisms at present, there seems to
be a perception by SMEs that transactions conducted specifically
via the Internet are insecure and unreliable (Wong, 2006).
Although security awareness is on the rise, the security problems
have not been resolved for a number of reasons: (1) as technology
changes, new problems surface and old problems evolve making
static solutions ineffective; (2) in an environment where competi-
tive pressure is high and time to market is the primary concern,
security does not always get its share of attention in terms of staff-
ing and budget; (3) pressure on profit margins has emphasized
ª Copyright 2009 Taylor & Francis—All rights reserved. 3

budget crunch and security is looked on more as an overhead cost

without a direct positive effect on corporate profits (Ashrafi &
Kuilboer, 2001).
Security challenges to these networks have different unwanted
business impacts on SMEs, such as: business embarrassment,
financial loss, degradation of competitiveness, and legal problems
(Rolf, 2002; Rao, 2004). Every SME dealing in E-Commerce trans-
actions wants to keep in pace and stay competitive along with their
competitors, thus they need also to make sure the on-line trading is
guaranteed and protected (Rao, 2004). Cybersecurity is an impor-
tant issue. The penetration of personal computers, local area net-
works, and distributed computing has radically changed the way
we administer and control information resources. Internal controls
that were efficient in the centralized, batch-oriented mainframe
environment of yesteryears are insufficient in the distributed com-
puting environment of today. Protection of a distributed computing
environment is of great importance in any enterprise information
system (Caelli, 1994). Attacks on computer systems are on the rise
and the sophistication of these attacks continues to rise to startling
levels. Throughout much of the academic and practitioner litera-

ture, trust, privacy of information, and systems security are
important recurring themes in customer retention for an SME
that engages in E-Commerce, making cybersecurity important
(Smith & Lias 2007).
Users on the Internet increasingly manage their routine interac-
tions by accessing various Web applications that mandate them to
provide private information such as credit card and bank account
numbers. An essential condition on such sites is the protection of all
information that might be considered as private to the users. The
majority of users do not have an idea if any of their private infor-
mation that adds up to their identity is dispersed to parties other
than the sites they have directly visited. SMEs carry the burden of
malicious attacks because they do not have the resources to imme-
diately rectify security breaches, resulting in extended down-time,
limited access to SME and customer information, and the cost of
cleaning up damaged data and hardware.
Cybersecurity will remain an issue for all commerce activities,
large or small, and lack of it has the greatest potential to paralyze
small businesses due to the high financial impact of losing commer-
cially sensitive information, loss of productivity, and the cost of
fixing security breaches. A single publicized security breach can
erode confidence in the business and not only damage the reputa-
tion of the SMEs, but can hurt the E-Commerce industry as a whole
(Ghosh, 1998). Therefore, cybersecurity needs to be emphasized,
so that such challenges and their undesired consequences can be
avoided.
TYPES OF SECURITY IN E-COMMERCE

According to Kalkota and Whinston (1999, p. 177) security con-
cerns in E-Commerce can be divided into two major groups:
(a)Client/Server Security: When managing a Web server one must
be aware of the underlying security issues. Although it is quite easy
to launch a WWW site on the Internet, the underlying technology

can necessitate a number of information protection and associated

security issues such as client/server security. Client/server secur-
ity makes use of different authorization mechanisms, which is the
set of rules that govern what resources a user can access on the Web
server and what the users can do with those resources. Different
access control mechanisms such as password protection, encrypted
smart cards, biometrics, and firewalls must be set up to ensure that
only properly authenticated users are granted access to resources
that they are entitled to use. Without suitable access control
mechanisms and other client/server security concerns, confiden-
tial consumer information existing on a SME’s E-Commerce compu-
ter system can be accidentally provided to third parties not related
to the SME’s business. Security violation may also comprise
unauthorized access to the SME consumer’s computer through an
Internet connection; (b) Data and Transaction Security becomes
important with the ever-increasing confidential information such
as credit card numbers traveling over the Internet. It ensures the
confidentiality, privacy, integrity, and anonymity of the data pack-
ets traversing the Internet including the authentication of remote
users in network transactions. Its importance lies in the fact that

without appropriate controls, electronic transactions and docu-
ments can be easily changed, lost, replicated, and fraudulently
processed. This may result in the integrity of electronic transac-
tions and documents to be questioned, causing arguments with
regard to the terms of a transaction and the linked billing.
Prospective consumers interested in E-Commerce may seek an
assertion that the SME has efficient transaction integrity controls
and a good record of processing its transactions correctly, totally,
and promptly, and of properly billing its consumers. Security to a
certain degree is provided as formal trading partner agreements
are applied in E-Commerce and public key encryption techniques
are used to ensure privacy of E-Commerce messages (Kalakota &
Whinston, 1999). There has been an increase in the dynamic con-
tent attacks on digital signatures (Alsaid & Mitchell, 2005) posing a
significant problem to E-Commerce. The main aim is to defeat the
motive of cyber identity theft in any form of data communication.
Data encryption and cryptography constitute preventive measures
in data and transaction security. Data and Transaction Security
consists of following main elements:
Confidentiality: Confidentiality assures that the exchange of

messages between parties over access networks or global
networks is not being monitored by non- authorized parties
(Smith & Lias, 2007).
Integrity: Allows the system to verify whether modifications
have occurred and relates to the expectation that both customer
and merchant data will be protected against accidental corrup-
tion or deliberate modification (Smith & Lias, 2007). It ensures
that no modification of data has been performed by unauthorized
principals. Data integrity mechanisms prevent data from
unauthorized modification.
Authentication: Authentication is the goal of knowing that a
particular user is authorized to take action, for instance author-
izing a charge to an account. Authentication establishes user
identity or other appropriate user attributes. The appropriate

user attribute is compared against a table of permissions (such as

read, write, and alter) to determine functions for which a SME
consumer is authorized. It is implemented either using shared
information or ability to prove unique information. Tools used to
meet authentication goals include passwords, cryptographic
keys, and challenge/response mechanisms.
Non-repudiation: Non-repudiation means that a consumer of an
SME cannot reasonably claim not having taken an action. Non-
repudiation means an action is irrefutable. In physical commerce
non-repudiation is obtained through physical attributes like phy-
sical signatures whereas E-Commerce makes use of digital signa-
tures (Hong et al, 2003).
For better data and transaction security an information security
policy should be in place. The objective of such a policy is to ensure
the data confidentiality, integrity, and availability within informa-
tion systems and it also covers risk analysis, risk management,
contingency planning, and disaster recovery (Hong et al. 2003).
COMMON CLIENT/SERVER CYBERSECURITY THREATS

The common cybersecurity threats can be classified into four major
types: Accidental, Passive, Active, and Intentional. Accidental
threats are losses because of breakdowns or errors. Some instances
of accidental threats are power failures; hardware susceptibilities
in network switches, routers, and other hardware components;
software failures; and natural threats such as fires and flooding.
Passive threats do not change the state of the system but they may
include loss of confidentiality, but not the loss of integrity or avail-
ability. Unlike passive threats, active threats tamper with the state
of the system by making changes to the data and software. Trojan
horses, which allow unauthorized access to a system, are common
instances of active threats. Security threats that are common today
differ from those in earlier times. With numerous Internet connec-
tions, anybody can gain access into an organization’s computer
system from anyplace on the globe and steal passwords although
the building may be physically secured.
Thus, although physical security accomplished its objective
in these circumstances, the network is still not secure. Viruses and
worms can be transferred from one machine to another. Networks
spread throughout the world provide an opportunity for ‘‘electronic
thieves’’ to open windows and doors and break into the computer
system’s architecture. These ‘‘virtual thieves’’ can identify and
then take advantage of vulnerabilities in hundreds of machines in
no time. Intentional threats cause damage or corruption to computer
networks. Sabotage is a type of intentional threat that uses small
virus programs often propagated by unsuspecting users. Typically,
the loss of service is the inability of a particular network service,
such as e-mail, to be available or the temporary loss of all network
connectivity and services. Here we confine our discussion to inten-
tional threats, particularly client/server security threats.
Denial of service (DoS) is another manifestation of intentional
threat that causes loss of availability of service. WWW Security FAQ
explains a DoS attack as: ‘‘. . . an attack intended to render a com-
puter or network incapable of offering usual services’’ (Stein,

2002). The most familiar DoS attacks are aimed at the computer’s
network bandwidth or connectivity. Bandwidth attacks flood the
network attacked with a very high volume of traffic, resulting in
very less resources for the end user (Stein, 2002). Laudon and
Traver (2001) describe a DoS attack as an act that floods a website
with useless traffic with the result that it overwhelms the network.
Ghosh (1998, p. 20) calls a DoS attack as ‘‘an ultimate Internet
security nemesis which is solely aimed at making services unavail-
able.’’ A DoS attack results when access to a computer or network
resource is intentionally blocked or degraded as a result of mal-
icious action taken by another user. On the WWW, a DoS attack is an
incident in which a user or organization is deprived of the services
of a resource they would normally expect to have. An example may
be when there are enormous transactions on the SME’s website; the
losses that may arise owing to unavailability are severe in terms of
financial losses and reputation losses. DoS attacks involve the
intentional impairment or blocking of legitimate access by an
unauthorized party (e.g., by flooding the victim site with spurious
traffic) (Furnell, 2006). DoS has risen to become one of the most
significant threats facing Internet systems. A simple threat in cli-

ent–server security could be that of a cracker writing a small loop
that requests a homepage of a website. The server responds in good
faith but ultimately this slows down the server. Some examples of
DoS include message overloading by e-mail spamming and network
packet attacks aimed at host vulnerabilities. These types of attacks
tend to affect the availability of computer systems for legitimate
use. These forms of attacks can include e-mail bomb attacks—send-
ing thousands of e-mails to a particular computer system until that
system crashes (Warren & Hutchison, 2001). For instance, there is
a totally common method to use Eudora to send hundreds of gigantic
attached files to one recipient, crashing the mail server of the
SME’s ISP.
DoS attacks have hit a large number of famous websites, includ-
ing Ebay, Amazon, and Buy.com (Williams, 2000). Another variant
of a client–server threat and a manifestation of a DoS attack that
has affected many prominent websites around the world is
Distributed Denial of Service (DDoS). WWW Security FAQ explains
a DDoS attack as an attack
which uses many computers to launch a coordinated DoS attack against one or more
targets. Using client/server technology, the perpetrator is able to multiply the effec-
tiveness of the Denial of Service significantly by harnessing the resources of multiple
unwitting accomplice computers, which serve as attack platforms. Typically a DDoS
master program is installed on one computer using a stolen account. The master
program, at a designated time, then communicates to any number of ‘‘agent’’ pro-
grams, installed on computers anywhere on the internet. The agents, when they
receive the command, initiate the attack. Using client/server technology, the master
program can initiate hundreds or even thousands of agent programs within seconds.
(Stein, 2002)
A DDoS attack entails flooding one or more victim computers with

false or bogus requests, which overload the computer, thus denying
service to legitimate users. This threat is so grave that a high priority
is assigned to prevent or diminish such attacks. The term ‘‘distrib-
uted denial of service’’ illustrates the procedure by which crackers
hijack hundreds of thousands of SME computers and plant ‘‘time

bombs’’ on the SME’s employee systems. The crackers then initiate

these time bombs to flood the target site with useless messages,
overloading the site and effectively blocking legitimate traffic.
Lo (2003) identifies two main types of Denials of Service
attacks—operating system attacks that target bugs in specific oper-
ating systems and networking attacks that exploit inherent limita-
tions of networking. Denials of Service attacks include physical or
remote takeover attacks and death-pill attacks (Brustoloni, 2002).
In a physical takeover attack, the attacker achieves physical access
to components of the Internet Service Provider or e-vendor infra-
structure, such as routers or servers and compromises their
proper functionality. In a remote takeover attack, the attacker
takes advantage of some bug in the infrastructure’s software so
as to gain access to private resources and thus be able to modify the
software remotely. In a death-pill attack (e.g., land, teardrop, or
ping of death) the attacker launches one or a few packets to an
infrastructure element (e.g., router or server) known to contain a
bug, such that the packets cause the component to break down.
Proper Internet Service Provider and e-vendor physical security
can get rid of physical takeover attacks. Likewise, timely installa-

tion of patches or updates that fix software bugs can avoid future
remote takeover or death-pill attacks exploiting those bugs. The
Ping of Death can crash or reboot a computer by sending a ‘‘ping’’
message of greater than 65,536 bytes; the default size is 64 bytes
(Warren & Hutchison, 2001).
Presently the two most popular DDoS attack techniques are
smurfing and TCP SYN flooding, which are both congestive in nature
and have become quite common. In a ‘‘smurf’’ attack, the attacker
launches ICMP (Internet Control Message Protocol) echo requests to
a network’s broadcast address. The attacker spoofs the requests
with the victim’s address. As a result, each host in the network
replies not to the attacker but to the victim, thus accidentally becom-
ing an agent of the attack. ‘‘Fraggle,’’ another DDoS service attack,
uses the same general idea as ‘‘smurf’’ and can be said to be its
cousin, but instead uses UDP echo (port 7) to accomplish the task.
http://www.powertech.no/smurf/ is a website that scans the
internal network and permits the system administrator to enter a
known smurfing amplifier site to which the perpetrators of these
attacks send spoofed packets in order to generate traffic that results
in a denial of service. In order to put an end to the spoofing of packets,
all networks should perform packet screening either at the edge of
the network where customers connect, that is, to access layer so as to
overcome the likelihood of source-address-spoofed packets from
entering from downstream networks, or leaving for upstream net-
works. In a second case, TCP SYN flooding, the attacker or its agents
sends a flood of spoofed TCP SYN packets requesting for a connection
to be established with the victim. Each such phony request results in
the victim fruitlessly tying up resources that could otherwise be used
for requests from valid clients. In order to defend against a TCP SYN
ACK attack Cisco system suggests:
Increase the size of the connection queue (SYN ACK queue).

Decrease the time-out waiting for the three-way handshake.
Employ vendor software patches to detect and circumvent the
problem (Cisco, 2007).

The TCP SYN attack focuses on exhausting the target PC’s memory
and the ICMP smurf attack focuses on exhausting network band-
width (Bolz, Romney, & Rogers, 2004, p. 72). Different DDoS
attack tools employed by ‘‘cybercrooks’’ include Trin00, which
can be installed on Linux or Solaris; Tribe Flood Network, which
generates a TCP SYN as well as smurf flood; Tribe Flood Network
2000, which can be deployed on almost all UNIX flavors as well as
Windows to generate a ICMP, UDP, or TCP SYN flood; as well as
Stacheldraht, which combines features of Trin00 and Tribe Flood
Network and normally attacks systems running Linux or Solaris
(Criscuolo, 2000). Cybercrooks keep on constantly using their
creativity to invent malicious programs that may be used to launch
Denial of Service attacks.
Unfortunately, website defacement has also become a significant
problem, and sites running unpatched Web server software repre-
sent a relatively easy target, even for novice crackers (Furnell,
2006). The cracker may leave his or her mark on the homepage of
an SME website that suffers from homepage website defacement
and it may look like ‘‘This site is cracked by . . .. . .. . ..’’ Although it
sounds simplistic, capturing usernames and passwords is a very

popular and successful technique used by crackers to break into a
site and deface it. To retrieve this information, crackers use var-
ious information-gathering techniques, which utilize the vulner-
abilities in the system. If known vulnerabilities remain
unresolved, they provide an opportunity for attackers to gain
entry and then replace or modify site contents. If the cracker has
a username, he or she can try to guess the password by going
through a list of popular or default choices, or by using intelligent
guesses. After having logged on to the system, the cracker tries to
acquire the highest level of privileges, that is, obtain system admin-
istrator privileges. The cracker ends up acquiring privileged access
rights, and actually controls the machine. At this point, if the
cracker is interested in defacing the website, he or she simply
modifies the content of the pages, achieving his or her purpose. In
the year 2008, the Pennsylvania government’s website suffered
from website defacement as a result of planting of malware by the
crackers (Web Application Security Consortium, 2008).
As with DoS attacks, website defacementi incidents are by no
means restricted to E-Commerce sites of SMEs, and a look at statis-
tics from a defacement watchdog (http://www.zone-h.org/) will
reveal victims that range from government sites to academic insti-
tutions. However, the possible impact for an E-Commerce website
could again be graver than for a website that is merely providing
information services (Furnell, 2006). For example, coming across
a defaced site has the potential to cause lasting damage to the
customer’s impression of the business and in particular to the
perception of its security
Once again, Microsoft got defaced by means of SQL Injection.
On April 26, 2009 a defacer known as ‘‘Agd_Scorp’’ defaced six
Microsoft websites. In 2008, Microsoft was the target of the
attacks, mostly because defacers liked Linux more. Now it is
just ‘‘for fame.’’ Also in this case the defacer did not leave any
message (Zone-h, 2008). There was a breach of security on the
website of one of India’s largest public sector banks, Bank of
India, as well as Microsoft’s U.K. website in the year 2007 (Web

Application Security Consortium, 2007). The website of the

bank was completely defaced by Trojan inflicting code and
Microsoft’s U.K. website was defaced as a result of an SQL
injection.
CAUSES OF CLIENT–SERVER CYBERSECURITY THREATS

Kalkota and Whinston (1999, p. 179) attribute three reasons
for common client–server security threats: 1) Physical security
holes; 2) Software Security holes; and 3) Inconsistent usage holes.
A description of the three different Security holes is as below:
1. Physical Security Holes: These holes result when somebody

from outside gains unauthorized physical access to the internal
network of an SME. Many employees suffer from ‘‘password
overload,’’ and often a worker may have his or her password
on a ‘‘sticky note’’ attached to the computer monitor, which
may be noticed if a cracker gets physical access to a system.
A more serious problem could emerge if the cracker could gain

access to a server (Kalkota & Whinston, 1999) running in a
multi-user environment and may reboot the computer in the
single-user mode, affecting the rest of the users on the net-
work. Moreover, it is possible for the cracker to tamper with
the files, steal personal information maintained on the
machine, or delete vital data, which may result in significant
loss. Becker and Berkemeyer (2006) suggest that physical
security holes can be plugged in by assessment of physical
security in terms of the building perimeter, cubicles, halls,
offices, conference rooms, doors, and other public areas. The
physical work area is evaluated for unsecured computers,
passwords, user IDs faxes, and printers and confidential
documents.
2. Software Security Holes: These holes result when the soft-
ware has been badly written from a security point of view
and it is ‘‘compromised’’ into doing things that may prove
fatal to the security of the network. Many software security
holesii occur because of low-level programming blunders that
are copied and spread all through various different applica-
tions, which result in software bugs that may prove to be lethal
for system security. Software security holes arise out of bugs
or security flaws in the operating system or network security
software such as firewalls. All types of software normally have
certain loopholes that have security repercussions and all
errors must be corrected by developers so that they do not
threaten security integrity (Martin, 2001). A common soft-
ware security hole, which brought the Internet to its knees,
was the ‘‘sendmail hole.’’ The ‘‘sendmail hole’’ was the reason
for many DoS attacks by e-bombing. Cybercrooks developed
many automated e-bombing tools such as Avalanche,
Unabomber, Kaboom, and Voodoo for different platforms,
which exploited this hole (Bass, Freyre, Gruber, & Watt,
1998). Similarly IBM RS-6000 workstations had vulnerability
in the TFTP daemon in all versions of AIX for IBM RS/6000
machines (CERT, 1991).

3. Inconsistent Usage Holes: A badly administered SME sys-

tem is a definite threat that can increase the vulnerability
to some of the other problems already discussed and may
result in a ‘‘security hole.’’ The reason for emergence of
such holes can also be attributed to carelessness on the
part of the system administrator or incompatibility between
the hardware and software, which results in a ‘‘security
hole.’’ Such holes emerge and make systems vulnerable
because they have not been kept up-to-date (e.g., failure to
apply the latest patches, leaving systems open to cracker
exploits and malware), or because they have been badly
configured in the first place. Should a script or attack not
work against the intended target, the cracker can simply
utilize any number of other methods to find and exploit
vulnerabilities, such as unattended patches (Jennex,
Walters, & Addo, 2004). According to Gartner 90% of the
security breaches on the Internet occur because the soft-
ware applications are not properly patched or configured
(Brykczynski & Small, 2003). Furthermore, system admin-
istrators of SMEs must address the following priorities,

such as vulnerability awareness delay, vulnerability eva-
luation duration, vulnerability response time, patch aware-
ness delay, patch evaluation latency, patch evaluation
duration, and patch implementation duration (Brykczynski
& Small, 2003). Vulnerability awareness delay measures the
effectiveness of an SMEs vulnerability awareness process,
vulnerability evaluation duration measures the responsive-
ness of an SMEs evaluation to a vulnerability alert, and
vulnerability response time is the sum of the two (i.e., vul-
nerability awareness delay, vulnerability evaluation dura-
tion). Patch awareness delay measures the duration between
a vendor publishing the patch and the SME becoming aware
of it, patch evaluation latency measures the delay between
SME becoming aware of the patch and the beginning of its
evaluation. Patch evaluation duration is the time the SME
spends ensuring that the patch effectively closes or reduces
the vulnerability and evaluating the patch for side effects,
and finally patch implementation duration is the time the
SME becomes aware of the patch and implements it fully.
Robinson (2003) says that some of the factors that serve to under-
mine the effectiveness of the patching process leading to inconsis-
tent usage holes are:
1. Patches are not identified and installed in time to prevent

damage.
2. Even after such identification, many susceptible systems of
SMEs remain un-patched due to ignorance and vulnerable sys-
tems are not patched when the patch was deployed.
3. Patches themselves may be flawed and may not properly close
the vulnerability.
4. Defective patches may themselves cause new vulnerabilities,
or cause loss of services and their installation on the machine
has no impact and they do not meet the purpose for which they
were originally installed.

Additionally, the role and importance of system administration in

SMEs is often shortchanged in job descriptions, resulting in many
administrators being, at best, part-time and poorly prepared (Rolf,
2002). These holes are difficult to detect once the system is
assembled and working, so it is better that precaution is taken
while setting up the system.
COMMON CYBER IDENTITY THEFTS

Cyber identity theft involves the use of electronic (e.g., via the
Internet) means to carry out any form of identity theft. Cyber
identity theft has been labeled as ‘‘the crime of the twenty-first
century’’ (Thompson, 2002; Deloitte, 2006). Close, Zinkhan, and
Finney (2006) define cyber identity theft as the on-line or electro-
nic acquisition of personal information with the purpose of utilizing
such information for deceitful activity either on the Internet or off-
line. According to the Identity Theft Assumption and Deterrence
Act (the Identity Theft Act; U.S. Public Law 105-318), offenders of
identity theft are anyone who ‘‘. . . knowingly transfers or uses,

without lawful authority, any name or number that may be used,
alone or in conjunction with any other information, to identify a
specific individual with the intent to commit, or to aid or abet, any
unlawful activity that constitutes a violation of Federal law, or that
constitutes a felony under any applicable State or local law’’
(Newman & McNally, 2005). Recently, the U.S. Congress passed
the Identity Theft Enforcement and Restitution Act of 2007, which
is a bill to amend title 18, United States Code, so as to enable
increased federal prosecution of identity theft crimes and to allow
for restitution to victims of identity theft, by a unanimous vote
(OpenCongress, 2007). Newman and McNally (2005) identify
three stages of identity theft—acquisition, use, and discovery. The
first stage is the acquisition of the identity through theft, computer
cracking, fraud, trickery, or social engineering. This is followed by
use of the identity for financial gain or to avoid arrest or otherwise
hide one’s identity from law enforcement or other authorities (such
as bill collectors). Discovery is the time taken to discover a cyber
identity theft and it is this stage that decides the amount of loss that
is incurred by a victim. The crimes that can be categorized under
identity theft are: credit card fraud; financial crimes of different
kinds; various telemarketing and Internet scams; pilfering or rob-
beries of various types where identification information is stolen
either by accident or purposely; counterfeiting; and forgery
(Newman & McNally, 2005). There are three main categories of
identity theft:
1. Financial Identity Theft: The perpetrator uses the victim’s
recognizing personal information to open accounts such as
bank accounts, credit cards, car loans, or even to rent a property.
2. Criminal Identity Theft: The victim’s information is offered to
the law enforcement agencies by the criminal instead of his or
her own when required.
3. Cloning Identity Theft: The victim’s information is used by the
perpetrator to set up a new life. In this case the perpetrator
usually uses the victim’s information to steal his or her profes-
sional establishment or for illegal migration.

There are a number of methods of obtaining credit card details of

SME consumers, from the low-tech methods of ‘‘bin-raiding’’ to the
high-tech methods of ‘‘cloning,’’ ‘‘skimming,’’ and obtaining details
by hacking into websites (Reuvid, 2003).
The current estimated losses associated with identity theft,
which are compounding at a rate of 300%, are expected to be
$3 trillion by the end of 2007 as per Aberdeen, a Boston-based
industry analyst firm (Smith & Lias, 2007). Academic research
is beginning to emerge on the topic of identity theft; however, to
date scholars have published relatively few studies specific to
Internet-related identity theft. Close et al. (2006) present a sum-
mary of cyber identity theft with a stress on the repercussions
for public policy. The policy and on-line behavior must change to
combat cyber identity theft. Internet-related identity theft is, in
part, a function of an individual’s precarious on-line transac-
tions. Consumers’ on-line behavior may increase or even
decrease the risk of becoming a victim of identity theft. Each
consumer differs in the extent to which he or she protects his
or her on-line identity and privacy. This difference may be
attributed to the Internet user’s demographics, attitude, and on-

line behaviors. Comparative misappropriated funds because of
identity thefts of 2006 and 2008 in the United States are
depicted in Figure 1.
Close, Zinkhan, and Finney (2004) describe the methods of iden-
tity theft, which are shown in Table 1.
Common methods of cyber identity theft include: employee
abuse, cracking, social engineering, phishing/pharming, spy-
ware/malware/adware, and password/login attacks. Close et al.
(2006) suggest that cyber identity thefts reveal a number of
implications for policymakers; in order to protect consumers it
becomes necessary: (a) to inform customers about related
hazards, (b) to present secure settings for carrying out electro-
nic exchanges, (c) to help victims, and (d) to put into practice
public policy remedies and legal action. Unluckily, the number of
Figure 1 Comparative mean dollar misappropriated funds in 2006 and

2008.

Table 1 Key Methods of Cyber Identity Theft
Method Definition Example
Broad scope
Cracking Breaking into a computer database Wiring another’s funds
personal or business
Employee Employees utilizing or selling their Pilfering office files
theft SME database for fraudulent
means or prior permission
Dictionary Automatically search all dictionary Checking all words A–Z
programs words for a possible password
Spyware Software, often disguised, that may Weather bug, Gator
install itself with legitimate or free
downloads to collect personal
information
Skimming Copying information from a Credit cards
magnetic strip and subsequently
using the information to create a
duplicate
Tapping Monitoring computer systems to Restaurant computers for credit
extract key information card numbers
Pre-approved Taking another’s pre-approved Mailed credit card offers
credit and SSN to open an
unauthorized account
Mass Peer-to-peer networks built to Peer-to-peer sites (e.g., Kazaa,
rebellion exchange music or media files. Napster)
At present, the future of such
sites is unclear, and some users
are being taken to court (e.g., by
the music and film industry)
Narrow scope
Carelessness Prowling for users who use their Saved passwords, logoff may not
computer or Internet access go through
carelessly
Disposal Obtaining information from Dumpster-diving, leaving
abuse another’s disposed/ sold personal information on old
hardware or software computer via junk-yard, garage
sale
Autofill abuse Obtaining information from Type in a few letters until cleared
computer programs that
‘‘memorize’’ and complete typing
on another’s machine
Phishing Establishing a fake website ‘‘Official’’ request for SSN
designed to look like a SME’s
actual site or sending official-
looking messages
Phony A phony machine that copies ATM
personal information
Posing Unrightfully representing another Bank rep., computer exams
individual
Pranking Posing as another on-line to play a E-dating
joke or for fun
Fraudulent Posting a job that does not exist to ‘‘Manager Wanted: Apply Online’’
job posting collect personal information
Shoulder Peeking for information as another Passwords, account numbers
surfing enters it on a computer screen;
physically watching passwords
intercepting Receiving on-line traffic intended IM (Instant Message), e-mail
for another
cyberscams is limited only by the considerable imagination of

cyberthieves. Thus, cybercrooks keep on inventing new ways to
steal identities. Successfully managing systems implies that
security risks are understood and the appropriate interventions
introduced. Volonino and Robinson (2004, p. 63) advocate per-
forming a risk analysis. Risk analysis is not an intentional SME
strategy and although SME management may consider the reper-
cussions of data loss, the risk assessment process is unlikely to

occur. Security risks are classified as inadvertent or deliberate.

Risk analysis is not a deliberate SME strategy and although SME
management may consider the consequences of data loss, the
risk assessment process is unlikely to occur. As a consequence,
customers and E-Commerce firms should constantly invent new
ways to protect consumers’ identities from the creative crooks
and cybercrooks. As per Close et al. (2006) some cyber identity
thefts are explained in the following sections.
Employee Abuse
Employee abuse may cause internal threats or ‘‘insider threats’’
when disgruntled employees who think they have not been treated
properly and non-compliant (non-malicious) employees disclose
confidential information. An insider threat may be defined as
threat in an IT infrastructure context as ‘‘a set of circumstances
that has the potential to cause loss or harm’’ (Magklaras, Furnell,
& Brooke, 2006, p. 362). According to surveys, ‘‘insider threats’’

is one of the most common and costly types of attack on SMEs
(CERT, CSO, & ECTF, 2007). Verizon’s data breach investigation
report, which surveyed 500 incidents, concluded that although
outsider threats are more likely insider threats are more costly
(Harwood, 2008). As per the annual FBI/CSI surveys carried out
since 1996, ‘‘insider threats’’ stemming from internal attacks and
employee abuse form a significant portion of reported incidents
(Chinchani, Iyer, Ngo, & Upadhyaya, 2005). There have been
many studies on what the ‘‘insider threat’’ is, but the threat is
defined vaguely (Bishop, 2005), thereby compounding the pro-
blem. These activities can lead to a loss of network integrity and
loss of data. Such employees, those who perceive that they are
treated unfairly, may serve as a ‘‘physical security hole’’ in the
organization by providing the essential data for cyber identity
theft. One potentially very damaging employee response to being
dismissed, overlooked for promotion, or simply aggravated by a
manager is to seek revenge by damaging their employer’s compu-
ter systems or the data contained within them (Doherty & Fulford,
2005). An insider can pass information such as databases con-
taining customer information to virtual thieves, which may be
sold to the rival SMEs. Worse, criminals can use proprietary orga-
nizational data for a number of dangerous or illegal activities,
including extortion, fraud, theft, or national security threats.
These threats are most difficult to cope with because it is the
insiders who have access to information and capabilities not
known to other malicious crackers. Employees may disclose per-
sonal information inadvertently, or purposely. It is often conjec-
tured that most SMEs do not report the computer abuse by their
employees (Furnell & Warren, 1997) resulting in insider threats
just to avoid adverse publicity and thereby the risk of losing the
confidence of their stakeholders. McCollum has correctly pointed
out that there is a need for more attention to relationships among
people and their computers and technology is not the whole situa-
tion (Lee & Lee, 2002). It requires effectively managing people.
Anderson, Bozek, Longstaff, Meitzler, Skroch, and Wyk (2000)

have proposed the following recommendations for defense and

prevention of insider computer and network compromises:
Develop complete insider threat taxonomy.
Develop a plan to define and acquire insider data.
Develop a plan and strategy for a ‘‘confederation of insider mod-
els’’ that can work together synergistically.
Develop metrics for success and quantify observables.
Employers should include in their electronic communications policy
a clause to the effect that no confidential information is to be sent
via e-mail or that if it is, it must be encrypted (Reuvid, 2003).
Additionally, the use of encrypted e-mails must also be monitored,
as it is a mechanism by which confidential information can leave an
organization without being interrogated for inappropriate content.
Cracking
The term hacking is often used usually to describe the act of intrud-
ing into computer systems by stealth and without permission and

often confused with cracking. However, this term is used routinely
today by almost all computer novices while talking of any crime
committed with regard to computer fraud and abuse, or intruding
a computer in an unauthorized manner. The terms cracking and
hacking have been often confused with each other and used inter-
changeably by many authors, much to the disappointment of real
hackers (Raymond, 2001). There are numerous definitions of
‘‘hackers’’ on the Web. A hacker is a computer enthusiast who is
well trained on computer languages and computer systems and can
be considered an authority on the subject (Raymond, 2001). Of late
the real hacker community has been somewhat successful at con-
testing the malicious meaning attached to the term ‘‘hacker,’’ which
has been abused most by media reports (Erickson & Howard, 2007).
Hackers can be classified into black-hat hackers, grey-hat hackers,
and white-hat hackers (Merkow & Breithaupt, 2000). Black-hat
hackers or crackers are a malicious lot and the most feared in the
computer community. Grey-hat hackers are those people who want
to perform a public service by sharing their knowledge of computer
weaknesses. Grey hats are a hybrid between black hats and white
hats and are often found in the corporate world and are typically
highly skilled programmers or system administrators. White-hat
hackers protect innocent computer users from black and grey hats
and often charge very high costs for their service. These hackers
may be totally reformed criminals who have gone legitimate and are
now working for commercial security consultants. Recently, the
term ‘‘ethical hacking’’ has come into vogue. An ethical hacker is a
computer and network expert who attacks a security system on
behalf of its owners, seeking vulnerabilities that a malicious hacker
or cracker could exploit.
Another significant external threat is the penetration of organi-
zational computer systems (Doherty & Fulford, 2005) by crackers.
Such attacks, often termed ‘‘intrusions,’’ can be particularly dan-
gerous, as once the hacker has successfully bypassed the network
security, he or she is free to damage, manipulate, or simply steal
data at will. Cracking, or entering another’s computer, is a common
method of the cyber identity thief. The most common cyber identity

theft tactic is to crack into a computerized database and take per-

sonal information. Cracking is accessing content, services, compu-
ters systems, misusing or tampering with accounts, or networks
belonging to other SMEs or some other party, unlawfully without
permission, or making an endeavor to penetrate the security sys-
tem of other parties, which is prohibited by cyberlaws. Crackers
break into a computer system with malicious intent to cause harm
and for a thrill. Building upon the basic skills of the hackers, crack-
ers have and continue to explore the ‘‘opening up’’ of computer
systems for their particular desires (Colarik, 2006). Crackers
have the ability to paralyze large parts of communication networks
and cause financial meltdown and unrest. Crackers enjoy the chal-
lenge of breaking into forbidden structures to achieve whatever
prize is waiting as a result of their efforts. They relish breaking
an encryption algorithm or even creating tools that provide an
unfair advantage over other participants in an online game.
These are but a few examples of cracker activities. Despite the
consequences of the legal aspects of cracking, these individuals
carry forward many of the social rationalizations of hackers to
justify their misuse of incomplete, weak, and/or commercialized

systems.
One area that crackers specialize in is breaking protective
mechanisms and bringing down weak systems. They may focus on
special parties who have mainly weaker systems that can be inter-
rupted or broken down. The development of the software security
industry has been in reaction to increasingly complicated attacks
against computer and networked structures. While this is by no
means a justification for unlawful behavior, crackers tend to con-
sider their acts more as a public service than a criminal act.
According to the Web Application Security Consortium–Web
Cracking Incidents database, a Chinese cracker stole user informa-
tion on 18 million online shoppers at Auction.co.kr and in the same
year a cracker broke into Eucador’s presidential website (Web
Application Security Consortium, 2008). Ebay, one of the most
successful Internet ventures in the history of E-Commerce, was
mysteriously cracked and there was a breach of security with the
cracker pretending to pose as 1200 separate users (Reimer, 2007).
Cracking has evolved to ‘‘phishing.’’
Social Engineering
Popularized by Kevin Mitnick, one of the most noted crackers of
his time, social engineering is an assortment of tricks used to man-
euver people into performing actions or disclosing secret
information. Social engineering attacks take advantage of human
interaction; social skills are used to trick the victim into a compro-
mising action, such as revealing personal information or opening
an infected e-mail message (Chen & Davis, 2006). Social engineer-
ing can be pooled with many of the other attack methods and tools to
compromise security for just about any purpose. Even though
social engineering attacks are effortless and low tech, they can be
unexpectedly successful if executed properly. As per Mitnick, a
social engineering attack is much like the software development
lifecycle (SDLC) and consists of a Social Engineering Cycle which

has four stages—conducting research about the victim, developing

rapport and trust, exploiting trust, and utilizing information
(Thornburgh, 2004). The technique of social engineering particu-
larly takes advantage of users’ lack of security awareness to
breach security (i.e., obtaining access to information by trickery
or persuasion). A social engineering attack entails masquerading
as an employee with known authority, either in person (disguised)
or by using an electronic means of communication (e-mail, fax, or
the telephone). The motive of cybercrooks practicing social engi-
neering is to get people to reveal secret information such as user
names, passwords, points of entry, working hours, and so forth, as
the first step in intruding into a system. Conventional approaches
to social engineering include official-sounding telephone calls
from so-called bank employees such as bank representatives, or a
trespasser posing as an employee or system administrator, or even
an authorized visitor using an employee’s phone to call technical
support while the employee steps out of their office for a few
minutes.
IT infrastructure is vulnerable to social engineering attacks that
easily circumvent all walls and all type of encryption. It is a well-

known and broadly practiced approach by SMEs to log and record
all users’ transactions for the purpose of network auditing but it is
always late to prevent damages to the IT infrastructure. It employs
techniques such as phishing, IVR/phone phishing, and trojan
horses. Phishing uses practices such as social engineering to
deceive online consumers into revealing confidential information.
Pharming is a corresponding activity, which misdirects naive
Internet users to phony destinations, where they are induced to
willingly give up their valuable data through phishing schemes.
There was a security breach at MTV when an employee’s computer
containing confidential information was compromised as a result
of successful social engineering (Kaplan, 2008). Phishing and
pharming are covered next.
Phishing/Pharming
E-Commerce is most affected by phishing and pharming. The
Federal Trade Centre defines phishing as ‘‘a high-tech scam that
uses spam or pop-up messages to deceive you into disclosing your
credit card numbers, bank account information, Social Security
number, passwords, or other sensitive information‘‘ (Phishing
Dangers, 2005). The odd spelling of these terms relates to their
origin among hackers early in the history of personal computers
and the Internet, when crackers began to substitute the letters ‘‘ph’’
for ‘‘f’’ (McClain, 2006). Phishing is a variant of ‘‘fishing’’ where a
sophisticated cracker lures to ‘‘fish‘‘ for a user’s financial informa-
tion and passwords. In the cyberworld, phishing and pharming are
terms-of-art describing criminals’ use of a combination of technol-
ogy and social engineering to deceive users into revealing sensitive
information, allowing the perpetrator to fraudulently access the
victim’s financial resources. Advanced phishing examples include
misappropriating the ‘‘look and feel’’ of a well-known or esteemed
SME website, inducing a trusting user to disclose sensitive data,
such as social security or credit card number, passwords, account

usernames, and the like. Technically, e-mail may be used to

secretly install ‘‘malware,’’ such as trojan keyloggers and other
spyware, on an innocent customer’s computer, which collects sen-
sitive credentials for later criminal misuse. This usually takes place
through the use of spoofed Web pages or online forms.
Another of the types of attack that is more likely to particularly
target the E-Commerce domain, phishing tries to deceive users into
revealing sensitive data through messages and websites that pro-
fess to be from genuine sources such as banks and online retailers
(Furnell, 2006). These attacks often take the form of a certified
e-mail that asserts to be from a trusted entity, such as eBay or
PayPal. Generally speaking, phishing and pharming have evolved
to focus primarily on financial institutions, such as banks and
credit unions, or companies primarily concerned with facilitating
cash transactions, such as credit card companies or online auction
services, such as eBay. With phishing, identity thieves establish
a fake website designed to look like a SME’s actual site; gullible
customers are drawn to the site and asked to reveal personal infor-
mation. The most familiar type of phishing attack, and the earliest
examples of this activity, involves the sending of an e-mail repre-

senting a legitimate business activity and requesting sensitive
information from the recipient (McClain, 2006). This has come to
be called ‘‘spoofing.’’ Another form of phishing is called an ‘‘exploit-
based’’ attack, which occurs by exploiting a known defect in brow-
ser programs, such as Microsoft’s Internet Explorer or Mozilla
Firefox, to install programs, such as keyloggers, via viruses
contained in e-mails or websites.
As per Symantec, an active exploit of Cross Site Request Forgery
against residential Asymmetric Digital Subscriber Line routers
occurred in Mexico. An electronic mail with a phony IMG tag was
sent to victims. By opening the image in the mail, the user initiated
a router command to change the Domain Name Server entry of a
reputed Mexican bank, making any subsequent access by a user to
the bank go through the attacker’s server (Web Application
Security Consortium, 2008). According to Gartner 3.6 million
adults in the United States lost money as a result of phishing attacks
that had escalated in August 2007, as reported by a survey
conducted by Gartner Inc., in 2007. Financial losses arising from
phishing attacks have amounted to more than $3.2 billion in
August 2007 (Gartner Group Inc., 2007). Phishing reports around
the world touched a record high in February 2008 with the total
number of reports being 30,716 and after a period of decline in
the months of January 2008 and March 2008 (Anti Phishing
Working Group, 2008) as depicted in Figure 2. According to the
Anti-Phishing Working Group businesses that are most hit by
phishing can be divided into four categories: financial services,
retail, ISPs, and miscellaneous.
Pharming employs such tools, often through Domain Name
Service (DNS) highjacking or poisoning, to fraudulently redirect
unsuspecting users to fake websites or proxy servers. (McAfee,
2006). Poisoning a domain name server entails altering the par-
ticular record for a domain, as a result of which the user is
misdirected to a website different from the one intended to be
known to the user. Pharming can be viewed as a form of a
phishing attack in which no e-mail to the user enticing them to

Figure 2 Phishing reports received January 2008–March 2008.

click on a link is required. This kind of attacks makes use of

Trojan horses, worms, or other techniques that attack the brow-
ser address bar, thereby misdirecting the user to a fraudulent
website when the user types in a correct address. Pharming
attacks can take the form of (a) DNS Spoofing: A DNS server
can perform a query to an upstream DNS server in order to
resolve the IP address of the domain. The process by which this
is accomplished is called a recursive query. This opens a name
server to both cache poisoning and denial-of-service attacks. The
DNS server conducting such a query could end up making a
series of sequential queries to upstream DNS to obtain an
address, or if the recursive query feature is disabled, the DNS
server then simply forwards (DNS forwarding) the query to the
next DNS server higher up in the inverted tree of servers and
relinquishes control of that query request. Where the recursive
queries are allowed, the DNS server can be fooled into thinking
that it is receiving a response from a trusted DNS server, when,
in fact, it is being ‘‘spoofed.’’ The spoofing server can issue a
command to change the IP address associated with a particular
domain to an IP address of a malicious DNS server. (b) DNS
Cache Poisoning: A fundamental component of the DNS architec-
ture is the ability of DNS to cache responses to queries in order
to improve the performance (throughput and delay) associated
with the DNS service. The downside of this is that if the cache
gets corrupted with a malicious, but otherwise well-formed
entry, then the compromised cache will continue to be used to
translate domain-IP mapping until the Time-To-Live (TTL) para-
meter is reached. An even worse scenario would be if the TTL is
also modified to a very high number.
Pharming attacks can be tracked if the genuine site authenticates
to the browser with Secure Sockets Layer, because the browser
displays a warning message of a mismatch between the server

certificate and the domain name. Pharming attacks targeted

50 banks exploiting a vulnerability in Microsoft’s code that down-
loaded a Trojan horse in the file iexplorer.exe (Kirk, 2007).
Phishing and pharming differ from the other threats listed in
the sense that avoiding an attack requires caution on the part of
the end user rather than the e-business (Furnell, 2006). This,
however, does not mean that the e-business is unaffected by the
problems. Quite the contrary in fact—the victim companies often
experience rising costs as a consequence of a mounting volume
of calls to their customer support lines, and as with other secur-
ity incidents, the unfavorable publicity could diminish trust in
the affected brand.
Spyware/Adware/Malware
Spyware is the main cause of cyber identity theft. According to De
Argaez (2004), 90% of all computers are now infected with some
type of spyware. A report from the Federal Trade Commission

spyware workshop defines it as a ‘‘software that aids in gathering
information about a person or organization without their knowl-
edge and which may send such information to another entity with-
out the consumer’s consent, or asserts control over a computer
without the consumer’s knowledge’’ (Federal Trade Commission,
2004). Spyware is a malicious program that is used to monitor user
behavior or collect personal information that can be shared
maliciously or stolen and may result in fraud or cyber identity
theft. It may be result in serious security risks and loss of data. In
addition, some spyware turns your computer into a zombie owned
by the cracker and they make it send spam to others. For instance,
remote control software is a form of spyware that uses the infected
machine for mass mailing, resulting in DoS attacks and also in
distributing malicious content.
A related problem is that of adware that manifests itself in
the form of advertising content such as pop-up ads. Adware is
software to monitor and profile a user’s online behavior, typi-
cally for the purposes of targeted marketing (Chen & Davis,
2006). Adware is often installed at the same time as other
software programs without the user’s knowledge. Even when
the user is alerted to the presence of the adware (often buried
covertly in the ignored licensing agreement), adware can be
an attack on the privacy of the user when information about
the user is communicated back to a marketing organization.
Adware is primarily an annoyance, sometimes causing pop-up
marketing windows during Web surfing. It does breach the
confidentiality by keeping track of browsing habits. It may
engage the majority of the bandwidth, as a result of which the
computer slows down.
Malware is ‘‘malicious software’’; a generic term encompassing a
variety of software programs and different types of programs
designed to attack, degrade, or thwart the planned use of computing
resources. Malware may manifest itself in the form of viruses,
worms, Trojans, malicious active content, and DoS attacks. The
first computer virus, a boot sector virus that spread through the
use of floppy disks, was recorded on an IBM PC in 1986 and was

called the Pakistani ‘‘Brain’’ Virus. The emergence of the Internet

for commercial applications and to a greater extent, the prolifera-
tion of active content on the Web, have made the potential for
executing malware a real possibility warranting concern for end
users everywhere. Considering the openness of the Internet the
ease with which software can be distributed and executed over the
Web is a double-edged sword (Rolf, 2002). On one edge of the sword
the time to market to develop and distribute software is reduced
significantly for commercial SMEs. For individual developers,
barriers of entry to the market are broken down by publishing
software over the Web. But the ease of publishing and distributing
software over the Web can make it exceedingly easy for rouge
developers to anonymously place malware on the Web, which
constitutes a major source of cyber identity theft.
Lawton (2002) classifies malicious programs as open source
malware such as the Scalper worm, which attacks Apache web
servers, P2P malware such as Benjamin, which is a threat to file-
sharing websites such as Napster and Kaaza, and keystroke logging
malware like Spyware. Skin (Symantec, 2007a), which records
keystrokes. Keyghostiii is one of several companies that provide

secure browsing for the user by preventing the logging of key-
strokes and unacceptable use of computer resources. Pulkkis,
Grahan, and Astrom (2003) present a taxonomy in which mali-
cious programs are classified into two categories:
Host program needed
Trap door: A trap door is a secret entry point sidestepping usual

authentication procedures to a program. Trap doors have for
many years been used legitimately in program development for
debugging and testing purposes. Malicious use of trap doors is a
grave security hazard.
Logic bomb: A logic bomb is one of the oldest malicious program
types. A logic bomb embedded in some legitimate program can be
activated by some state—for instance a specific time on a parti-
cular date—to ‘‘explode,’’ which means some damage in the host
computer, like an unexpectedly formatted hard disk, deleted
files, and so on.
Trojan horse: Taking their name from the hollow wooden horse
employed by the Greeks to attack Troy, this sort of malware
refers to programs that fool users into executing them by pre-
tending to perform a particular purpose, but eventually proving
to do something else (either instead of, or in addition to, the
asserted function), resulting in unexpected and typically
unwanted effects (Furnell & Ward, 2006). A Trojan horse is a
program code concealed in some useful program performing
redundant or detrimental operations. A few years ago, Trojan-
Downloader.Win32.Banload.dcd, which had been written in
Visual Basic, was in the news as one of the top threats, as it
downloads files via the Internet for execution on the victim’s
machine without his or her prior consent, exposing it to crackers
(Viruslist, 2007).
Virus: A virus is a replicating program that penetrates a system
by infecting ‘‘carrier’’ materials such as disks, files, or docu-
ments (Furnell & Ward, 2006). A virus may carry a payload,

which will trigger at some point after infection, causing unneces-

sary and often destructive effects. A virus is a program that can
infect other programs by altering them. The alteration includes a
replica of the virus program that can go on to infect other pro-
grams. It is worth mentioning that the term ‘‘virus’’ is often
misused as a broad term for all forms of malicious programs.
This mainly occurs in the context of media reports, and both
reflects and elucidates the fact that many end users recognize
all variety of malware to be identical with the concept of a virus.
Independent Malicious Programs
Bacteria: A bacteria or a ‘‘rabbit program’’ is a self-replicating
program, which consumes large resources on the target compu-
ter and causes a DoS attack as a result of which legitimate pro-
grams can no longer run. One of the instances of bacteria that was
propagating as of late is W32.Bacteria, which fools the users that
the file MFClibrary.dll is a crack tool or a key generator
(Symantec, 2007b).
Worm: Worms share a superficial resemblance with the virus in
terms of replicating between networked systems, but vary in that

they are able to spread independently, without infecting a carrier
in the manner of a virus (Furnell & Ward, 2006). Worms take
advantage of the network connectivity between systems, and can
proliferate as a result of fully automated activity (e.g., scanning
random IP addresses and taking benefit of susceptibilities to gain
entry to remote systems) or user-initiated actions (e.g., opening
phony content from e-mail attachments or peer-to-peer file
shares). A worm is a program spreading from one computer to
another through network connections. An activated worm may
behave like a virus or bacteria, or it could implant Trojan horses.
Software that passively monitors, resulting in an invasion of
privacy for the purposes of fraud or cyber identity theft is also
malware. Malware is also an issue from the customer perspective,
in the sense that it could compromise security during their use of
E-Commerce services (Furnell, 2004). An example of a threat that
compromises security is the Spyware.KeyKey, which had key-
stroke logging capabilities and thus put the user’s personal details
at risk of being captured if he or she initiated a transaction from an
infected system (Symantec, 2007c). Wen (1998) emphasizes the
importance of a virus protection policy to protect from malware
and the policy has 3 Ps—people, products, and procedures. It is the
administrators and the system managers who have the responsi-
bility of understanding the corporate culture and imparting user
education. Hubbard and Forcht (1998) too point out that the best
way to protect from computer viruses is by providing user educa-
tion. The product group forms the antivirus solutions that need to
be deployed on the user’s computers. This has to be followed by the
third P (i.e., procedures wherein antivirus product manuals are
developed and a virus response team is set into action).
Password/Login Attacks
Security systems often fail because users are human. Kevin
Mitnick, one of world’s most controversial computer crackers,

who now runs a security consultancy, Mitnick Security Consulting,

made an observation: ‘‘Companies spend millions of dollars on fire-
walls, encryption and secure access devices, and it’s money
wasted, because none of these measures address the weakest link
in the security chain’’ (Bidgoli, 2006, p. 156). Passwords remain
the main method of authentication in today’s systems because of
their ease, legacy deployment, and ease of revocation. Unluckily,
general techniques of entering passwords by means of keyboard,
mouse, touch screen, or by making use of any traditional input
device, are normally susceptible to attacks such as password
snooping.
A computer-friendly person today has a large number of
personal and professional accounts requiring usernames and
passwords. These passwords are typically weak in strength
and are seldom changed. Even more gravely, numerous users
reuse the same password across various sites. Consequently, if
a fraudulent site is able to learn a user’s password at one site,
the probability is good that this password can be used at other
sites. The cybercrooks leverage the initial set of identity infor-
mation to run credit checks and take other steps to search out
all other accounts. Critically, a fraudulent site may not even
need to masquerade as another valid site in order to get this
‘‘global’’ password; all it need do is induce the user to create an
account, which several users will be keen to do if they are
offered some prize (e.g., free e-mail or some promised coupon
good at amazon.com). Even though there have been advances in
security technology, one aspect remains constant: passwords
still play a central role in system security. The difficulty with
passwords is that all too often they are the easiest security
mechanism to defeat.
Another way of launching login attacks is by password crack-
ing. Most crackers gain illegal entry into remote computer sys-
tems by guessing passwords. It is surprising that so many system
accounts have weak passwords. Most crackers gain access by
guessing people’s passwords using common names or combina-
tions of letters. Also, password generation programs are used
that create passwords, usually a dictionary word, to try to gain
access. If access is denied, another password is generated and the
process is repeated. The motive of password cracking is to help a
user recover a forgotten password, but of late it is being used to
gain unauthorized access to a system, or as a preventive measure
by system administrators to check for easily crackable pass-
words. Password cracking, which is one the most powerful pass-
word attacks, can be performed if the attacker can obtain the
password file (Bidgoli, 2006). Computer systems keep a list of
user accounts and passwords in a password file, but the informa-
tion is encrypted for protection against attackers. If a password
cracker can have access to the password file, the cracker has the
benefit of time (translating into more CPU cycles) to crack the
passwords by brute force. Brute-force password guessing can be
very time consuming but is often not essential (Chen & Davis,
2006). There was a surge in brute-force SSH (Secure Shell) attacks
according to the statistics provided by denyhosts.net with the total
number of SSH attacks being 10,000 although the daily norm was
roughly 2,000 (Thurston, 2008).

The fundamental basis in good password design is to look at

what not to do when creating passwords (Shimonski, 2002).
However, the natural human instinct is to choose passwords
based on common words or names. A good password is one that
makes use of global password policies and is regularly changed,
resulting in ‘‘strong passwords’’ that cannot be cracked by diction-
ary programs (Ivens, 2000). A dictionary attack takes advantage
of this tendency by guessing a set of common words and names.
Dictionary attacks can be avoided using the Reverse Turing Test,
which makes use of distorted images, which require the user to
transcribe and the short noise recording, which rely on the cur-
rent state-of-the-art character and speech recognition algorithms,
respectively (Rao, 2004). Morris and Thompson describe brute-
force and dictionary attacks wherein brute-force attacks are
based on the observation that short strings are easier for humans
to remember, and the dictionary attacks on the fact that mean-
ingful words are far more memorable than random character
sequences (Morris & Thomson, 1979).
However, modern computer systems are usually programmed
with policies to prevent users from choosing easily guessable

passwords. Hence, the chance of guessing simple passwords is
not as likely today as in the past. More sophisticated hybrid
password guessing tools combine dictionary attacks with limited
brute-force attacks. They begin with guesses of common words
but then methodically add characters to words to form new
guesses.
There have been numerous published articles that have created
guidelines on how to create better or safer passwords with the
following recommendations:
1. Passwords should be memorized and not written down;
2. passwords should be an eight- or nine-character word or
phrase;
3. passwords should contain a mixture of letters (both upper- and
lowercase), numbers, and punctuation characters; and
4. passwords should never be words that can be commonly found
in a dictionary.
This will ensure that the password cannot be cracked by guessing,
dictionary programs, or brute- force attacks.
Ernest and Young (2007) in their Global Information Security
Survey 2007, suggest some steps to be taken by the various SMEs to
mitigate security threats. The survey emphasizes integrating
Information Security within the organization, extending the impact
of compliance, managing the risk of third-party relationships,
focusing on privacy and personal data protection, and designing
and building information security.
OPTIMIZING SMES TO ENTER THE GLOBAL

MARKETPLACE
Preventing Cybersecurity Threats
Here we discuss approaches or strategies to counter online identity
theft, denial of service, distributed denial of service, and spyware.

First of all, an approach to online identity theft prevention is

described followed by an approach to mitigate client–server secur-
ity threats including denial of service (DoS) attacks. Next we dis-
cuss how to diminish the impact of distributed denial of service
(DDoS) and finally how to thwart the effect of spyware so that
SMEs can enter the global marketplace.
Countering Online Identity Theft

A practical approach to identity fraud detection enables customers
of SMEs to have the best protection against identity fraud.
However, it is imperative to bear in mind that the most efficient
fighting of the cybersecurity threat is achieved when customers
and their financial institutions mutually join hands to stop identity
fraud.
1. Customers of SMEs should monitor their accounts online

at their bank’s, credit card SME’s, or other financial institu-

tion’s websites. Customers who often monitor their accounts
online to check for distrustful or unauthorized activity are
most prone to uncover fraud the fastest.
2. Customers should move their monetary transactions online
by replacing paper invoices, statements and checks, and
comprising paychecks, with electronic versions where offered
by employers, banks, utilities, or merchants. Circumvent
mailing checks to pay bills or deposit funds in a customer’s
banking account. As an alternative, customers should pay
bills online and use remote deposit check imaging services on
online banking sites.
3. Customers should review credit information at least once
per year: for their free annual report from one or all of the
national credit agencies, they ought to call a toll free num-
ber. Customers can moreover order credit reports through
many financial institutions’ websites or directly through the
credit bureaus, despite the fact that there may be fees
involved.
4. Customers should never make available personal informa-
tion if you initiate the contact. Customers should not click on
a link to a website when answering e-mails or text messages.
They should not take action on automated phone messages
prompting them to call a number to resolve a bank account
problem, or to e-mails that prompt them to contact a number.
In its place, they should use contact addresses, websites, or
phone numbers that they can corroborate are legitimate.
5. Install and frequently update firewall, anti-spyware,
anti-virus, and browser security software if customers
have a personal computer. If they make use of public com-
puters, make certain that they are operational with the sui-
table security software. When dumping computers,
telephones, and other sensitive memory storage, make sure
that confidential data are destroyed. Simply deleting the
data or reformatting the hard drive is not enough. When
shopping online, confirm that they are doing business with
a trustworthy firm. The SMEs ought to display an approved

security symbol and the transaction should be conducted on

an encrypted site.
6. Diminish uncalled-for access to customers’ personal infor-
mation wherever possible. Customers should not carry Social
Security cards or unused credit cards. Customers should be
responsive of their environment when transacting in public.
Customers should wrap their keypad and any screens that
present sensitive data.
Wylupski, Champion, and Grant (2006) suggest three specific
actions that should be implemented immediately by companies
that possess sensitive customer information for ensuring
data and transaction security so as to prevent cyber identity theft:
Implement two-factor authentication for access for systems and

databases. This will deter unauthorized sharing of simple user
IDs and passwords in SMEs that have access to such data.
Implement activity-monitoring tools, at the application or data-
base level, to detect patterns of unusual activity that may indi-
cate fraud.
Consider security practices as a key criterion when selecting
information services providers.
Avoiding Client–Server Security Threats

A comprehensive security plan needs to be devised (Becker &
Berkemeyer, 2006) by SMEs. The areas that need to be worked on
to avoid common client–server security threats are:
Database security: Database security is assessed in terms of user

profiles and access rights. Database scripts are evaluated in terms
of unauthorized data access by software applications. Database
log files are audited for unauthorized user access to data.
Desktop and group policies: Individual and group policies are
audited in terms of desktop access rights, remote administration,
hardware configuration, software backups, user privileges,
virus protection, and software downloads.
Intrusion detection: System-administration log files are audited to
uncover security areas vulnerable to DOS attacks. Firewall pro-
tection is assessed in terms of security holes allowing external
intruders to access sensitive data.
Web logs: Web logs are audited to assess the use of cookies, con-
tent filtering, secure socket-layer encryption, plug-ins, and cus-
tomer and seller data encryption.
Client–server security threats fall into two categories: (a) Denial of

Service and (b) Distributed Denial of Service.
Evading Denial of Service

Typically, a denial of service (DOS) attack may be caused by the
following factors, which ought to be kept in mind by network admin-
istrators of SMEs:
Exploitation of bugs: All software includes bugs that can, for
example, result in a host to crash owing to errors in dynamic

memory structure handling, like in the Teardrop attack

based on overlapping IP fragments (Northcutt & Novak,
2002, pp. 54–55).
Exploitation of syntax errors: Implementations are not at all times
capable of holding syntactically incorrect data, similar to the
Internet Group Management Protocol (IGMP) attack founded on
malformed headers (SecuriTeam, 1999).
Exploitation of semantic errors: Implementations might process
generally all syntactically correct messages, although these mes-
sages are semantically erroneous. For instance, in DNS cache
poisoning a fake mapping (a DNS answer) may be attached to
an original query message.
Exploitation of misplaced authentication requirements: Lack of
authentication makes it likely to enter fake information into
numerous protocols (namely dynamic routing protocols) and
services (namely DNS) (Papadimitratos & Haas, 2002).
The backscatter analysis is used to evaluate the number, interval,

and focal point of DoS attacks in the Internet (Moore, Voelker, &
Savage, 2001). Backscatter is referred to as the uncalled-for

response traffic that the victim sends in response to direct attack
packets with spoofed IP source address.
The subsequent common reaction methods have been put for-
ward in the literature for evading flooding DoS attacks (Chang,
2002):
Blocking: all packets identical to a signature are rejected at an
upstream router.
Rate-limiting: a portion of packets identical to a signature are
rejected at an upstream router. A support for Quality-of-Service
(QoS) features should be provided by the involved routers. Only
incoming packets are rate-limited, and outgoing packets can
leave the network freely without any additional penalties. Rate-
limiting cannot reject too many packets, because legitimate
flows identical to an attack signature must survive the one-way
packet-loss. This limits the efficacy of rate-limiting on diminish-
ing wide-bandwidth flooding DoS attacks.
Connection tear-down: malicious TCP (Transmission Control
Protocol) connections are torn down with an RST, the designation
given in ISO 7816 for the reset signal message.
Flood processing in an additional place: a DoS flood can be handled
in a place with superior abilities. For instance, a router can take
the task of handling (proxying) specific resource intensive tasks.
This saves resources in a target end-host.
Internet Protocol hopping: the Internet Protocol address of a target
computer is changed in the DNS. In the Code Red I v2 worm the
Internet Protocol address of the target computer was hard-coded,
which made it easy to avert the attack by changing the victim’s IP
address in the DNS.
Jamming and rate-limiting of DoS traffic at upstream routers

necessitates a method for distributing the attack description. The
planned methods for IDS (Intrusion Detection System) to distribute
attack identification information are the Pushback-messages
(Floyd et al., 2001) and the Intrusion Detection and Isolation
Protocol (Sterne et al., 2001).

The phrase Internet firewall (Chang, 2002) has been used to

signify a global defense infrastructure, where several routers in
the Internet infrastructure detect and filter attack traffic in a coor-
dinated manner. An Internet firewall, however, has found to be a
essential defense method against fast-spreading worms exploiting
a newly found susceptibility (Shannon & Moore, 2004).
IP spoofing can be constrained by using ingress and egress
filtering (Ferguson & Senie, 2000) in a border router of a network,
such as a network of an ISP or its customer. An ingress filtering
router in an ISP network will ensure that packets emanating from
a customer network have legitimate source IP addresses with the
associated prefix of that customer. Egress filtering does the simi-
lar check for packets emanating in the opposite direction, which
averts an ISP border router from forwarding packets that have a
source IP address belonging to the same client as the destination
IP address.
TCP SYN flooding is a extensively utilized flooding DoS attack
method. Most accessible DoS tools sustain this attack type and
literature also indicates that the majority DoS attacks are TCP-
based (Moore et al., 2001). The consequences of TCP SYN flooding

attacks can be diminished by applying the subsequent defenses
(Schuba et al., 1997):
making better end-system configurations (decline of the timeout
period for half open connections, enlargement in the backlog
queue size),
enhancing connection establishment to evade stocking half-open
connections (stocking the connection status in the preliminary
sequence number as a SYN cookie),
shifting the trouble of handling half-open connections to a fire-
wall, and
examining keenly existing TCP connections (Synkill, sources
categorized as malicious are prohibited from making additional
connections).
The subsequent common reaction methods have been put forward
in the literature for evading flooding DoS attacks (Chang, 2002):
Blocking: all packets identical to a signature are rejected at an
upstream router.
Rate-limiting: a portion of packets identical to a signature are
rejected at an upstream router.
A support for Quality-of-Service (QoS) characteristics should be
presented by the concerned routers. Merely incoming packets are
rate-limited, and outgoing packets can depart the network liberally
without any added penalties.
Rate-limiting can’t reject too many packets, for the reason that
legitimate flows identical to an attack signature ought to survive
the one-way packet-loss. This confines the efficacy of rate-limiting
on diminishing wide-bandwidth flooding DoS attacks.
Flood processing in an additional place: a DoS flood can be man-
aged in a place with better capabilities. For instance, a router can
take the task of managing (proxying) certain resource intensive
responsibilities saving resources in a target’s end-host.
Internet Protocol hopping: the IP address of a target computer is
altered in the DNS. In the Code Red I v2 worm the IP address of the

target computer was hard-coded, which made it effortless to

avert the attack by altering the target’s IP address in the DNS.
Jamming and rate-limiting of DoS traffic at upstream routers
necessitates a method for distributing the attack description. The
projected method for an IDS to distribute attack identification
information are the Pushback-messages (Floyd et al., 2001) and
the Intrusion Detection and Isolation Protocol (Sterne et al., 2001).
The phrase Internet firewall (Chang, 2002) has been utilized to
signify a global defense infrastructure, where several routers in
the Internet infrastructure discover and filter attack traffic in a
coordinated way. An Internet firewall, however, has found to be a
essential defense mechanism against fast-spreading worms mak-
ing use of a newly found susceptibility (Shannon & Moore, 2004).
IP spoofing can be controlled by utilizing ingress and egress
filtering (Ferguson & Senie, 2000) in a border router of a network,
such as a network of an Internet Service Provider or its client.
An ingress filtering router in an Internet Service Provider network
will ensure that packets emanating from a client network have
legitimate source IP addresses with the allied prefix of that client.

Egress filtering is alike and it checks for packets traveling in the
opposite direction, which avoids an Internet Service Provider
border router from advancing packets that have a source IP
address belonging to the same client as the destination IP address.
TCP SYN flooding is extensively utilized flooding DoS attack
method. Most accessible DoS tools support this attack method
and literature also indicates that the majority DoS attacks are
TCP-based (Moore et al., 2001). The consequences of TCP SYN
flooding attacks can be alleviated by applying the following
defenses by network administrators in SMEs (Schuba et al., 1997):
improve end-system configurations (diminish of the timeout time
for half open connections, enhancing the backlog queue size),
improve connection beginning to avert storing half-open connec-
tions (stocking up the connection status in the initial sequence
number as a SYN cookie),
move the burden of managing half-open connections to a firewall,
and
supervise keenly present TCP connections (Synkill, sources
categorized as malicious are prohibited from making additional
connections). The roadmap for evading DoS attacks is shown in
Figure 3.
Diminishing Distributed Denial of Service

A best DDoS defense solution for network administrators in SMEs
ought to have the subsequent characteristics: efficient, clarity to
existing Internet infrastructure, small performance overhead,
invincible to attacks aimed at defense systems, incrementally
deployable, and no impact on the valid traffic. We will further
describe the answers to DDoS attack based on those concerns.
1. Efficiency. Efficiency is determined by the capability to pre-
vent attacks on the spot despite whether it is a disruptive
attack or degrading attack, in spite of its strength. In the
steps for identifying the source of attack traffic, Traceback
makes possible tracing routers near to the attack sources

Figure 3 Roadmap for combating Denial of Service and Distributed Denial of Service attacks.
A DoS Attack A Distributed DoS

(DDoS) attack
Coordination of DDoS agents (sources)

-Encryption of attack commands
-Stealthy transmission of commands
- Tunneling inside ICMP payload data
- Tunneling inside DNS payload data
- The use of IRC channels
- The use of special peer-to peer protocols
-The use of packet types being able to pass through firewalls
(e.g., ICMP Echo Reply)
Attack Mechanism
Logic Attack Mechanism:

Flooding Attack Mechanism - Based on the use of intelligence
-Based on brute force
- A victim is flooded with unneeded data: - One or a few messages sent to a victim:
- TCP flood (e.g.,TCP SYNs) - Exploitation of bugs
- ICMP flood - Exploitation of syntax errors

- UDP flood - Exploitation of semantic errors
- Application level flooding (e.g., DNS)
- Exploitation of missing authentication
requirements
Reflector Attack Direct attack

- Attack packets transmitted via an innocent third party: - Attack packets transmitted directly to the victim
- A router responding with an ICMP message
- Two victims:
- The intermediate reflector
-The ultimate victim receiving the attack traffic
- Bandwidth or packet amplification may be included:
- Broadcast amplification by using a directed
broadcast address in packets sent to a reflector
Source address of attack packets

- IP spoofing: False source IP addresses used
- Needed to hide the location of an attacker
- IP Spoofing not required, if a chain of stepping stones used
- Victim’s address ion the source address field:
- Used in reflector attacks
- An unused address in the source address field:
- Victim is forced to try to contact a non-existing host
(Savage, Wetherall, Karlin, & Anderson, 2000). Nevertheless

it does not work perfectly for extremely distributed attacks
and its consequence is not 100% accurate. It is more efficient
for non-distributed attacks and for extremely overlapping
attack pathways. Packet marks utilized in Traceback can be
counterfeited by the attackers (Savage et al., 2000). PICA
reports paths of packet streams in path messages (launched
as an ICMP message), thus eradicating the need of path recon-
struction at the receiver end. This approach is more proficient
in constructing the attacker map in DDoS.
In the endeavors to filter the traffic, pushback is expected
to successfully utilize the core routers to control the attack,

reducing congestion in the Internet (Ioannidis & Bellovin, n.d.).

DWARD endeavors to defend the server from the source end, and
consequently can be capable to fast detection of attacks and fast
removal of rate limit when an attack ends. The DWARD archi-
tecture is shown in Figure 4.
DefCOM takes on a distributed deployment and performs
the action where most successful: precise detection at the
victim computer, rate-limiting in the core, and traffic differen-
tiation at the source. DefCOM comprises diverse defense nodes
prearranged in a peer-to-peer network, communicating to
attain a dynamic mutual defense. Figure 5 illustrates the
high-level general idea of DefCOM’s functioning.
There are three types of nodes:
Alert generator: identifies the attack and notify other
nodes.
Classifier: discriminate valid network traffic from malicious
traffic, forward the valid packets marked with valid mark,
limit the tempo of the doubtful packets, and mark them with
monitored mark.
Rate-limiter: limit the tempo of all network traffic to the vic-
tim and give the highest precedence to valid traffic.
NetBouncer (Johnson, Croall, & Thomas, 2003) provides for
synthetic authentication and provides client-legitimacy-based
DDoS filtering detecting valid clients and only serving their
packets. It carries out packet-based tests, flow-based tests as
well as application and session-oriented legitimacy tests. In the
steps taken to authenticate the client, NetBouncer successfully
trounces spoofed attacks. Large numbers of agents can never-
theless corrupt service to valid clients, creating flash crowd
effect. Some genuine clients do not support certain authenticity
tests (i.e., ping test). Kill-bots utilizes a stateless authentica-
tion, offers solutions to serve valid users who do not respond to
CAPTCHAs, and optimizes the balance amid authentication
and service. It also makes better the performance throughout
Flash Crowds. All those make Kill-bots a proficient solution for
online Web business, including SMEs. Low Bandwidth Turing
Figure 4 Functioning of the DWARD architecture.

Figure 5 DefCOM in operation.

Test facilitates to overcome software agents without aggravat-

ing the DDoS dilemma, which makes the Turing test approach
more successful.
2. Transparency to present Internet infrastructure. Most of the
steps necessitate the changing of the Internet infrastructure,
consequently making the solution not so applicable. For instance,
the use of pushback necessitates alteration of existing core rou-
ters and likely purchase of new hardware (Ioannidis & Bellovin,
n.d.). The utilization of overlay network provides an optional
approach. These approaches do not mandate altering the net-
work protocol or routers. Such a system utilizes an Internet-
wide network of nodes to take steps as a distributed firewall,
and carry out authentication for the clients. The sheltered
servers hide behind the overlay network; merely authorized
clients can access sheltered servers via the overlay network.
Overlay network is a nontransparent manner of packet
interception. Once all incoming packets into a protected server
can be captured, whether the server’s identity is secret or not
is irrelevant.
3. Extent of alteration to client-side software. The majority
of the solutions do not necessitate the alteration to client-
side software, akin to Egress Filtering, Ingress Filtering,
NetBouncer (Johnson et al., 2003) and so on. Nevertheless
the subsequent solutions necessitate the client-side change: In
SOS, clients ought to be aware of overlay and utilize it to access
the victim. When Client Puzzles are utilized, client alteration is
mandatory to support receiving and solving the puzzles.

4. Performance overhead. The defense system should be reason-

ably inexpensive whether in the presence of attack or not.
Some of the approaches have little overhead, for example, in
Pushback, the operation is simple and there is nearly no over-
head for routers (Ioannidis & Bellovin, n.d.). And D-WARD has
small processing and memory overhead. Some other
approaches might have more overhead. In SOS, the traffic
routed through the overlay travels on a suboptimal path.
In Traceback, packet marking incurs moderate overhead at
routers. Yet reassembly of distributed attack paths is prohibi-
tively expensive, but this can be countered by doing the com-
putation offline. When using the Client Puzzles, the puzzle
verification consumes quite a bit of server resources.
5. Whether the defense systems themselves are susceptible to
attacks. The majority of the approaches utilize the stateless
way of operation. Consequently, invaders cannot launch state-
consumption attack on these defense systems. For instance, in
NetBouncer, all authenticity tests are stateless; therefore a
defense system cannot be the target of state-consumption
attacks. Challenge generation might exhaust defense.

Some systems as an alternative may retort to redundancy
and encryption to avert attack. For example, SOS depends on
redundancy in the overlay and secrecy of the path chosen to the
target to provide security against DoS attacks on SOS.
Nevertheless, when one of the nodes in SOS is compromised by
the attacker, the target node will be exposed to the outside world.
6. Deployable. Is there economic motivation for deployment? Is
incremental deployment viable? Pushback: Operation at few
routers can influence traffic flows, owing to the topology.
Hitherto Pushback merely operates in contiguous deployment.
As per the necessity for deployment, the ways can be divided
as follows:
Incrementally deployable. Traceback is an illustration. It is
incrementally deployable, a small amount of disjoint routers
can make available useful information;
Legacy suitability. For illustration, in DefCOM, the core
nodes manage intrusions from legacy networks. The overlay
architecture provides for scalability and only a few deploy-
ment points are required.
Large preliminary deployment mandatory. Firebreak is of
this type. Preliminary firebreak deployment ought to be
large. Even though there is merely one sheltered target, the
preliminary firebreak deployment must be large enough to
prevent the largest expected attack.
7. Precision of DDoS defense. DDoS defense generally necessi-
tates dropping packets.
Although, at the same time, valid traffic should be pro-
tected. Collateral damage ought to be kept least. Pushback cur-
tails collateral damage by placing response close to the sources
(Ioannidis & Bellovin, n.d.). Collateral damage is caused by
response every time attack traffic is not evidently different
than valid traffic. DefCOM uses selective response and
provides low collateral damage (Mirkovic, Robinson, Reiher,
& Kuenning, 2003).

In the case of utilizing the Turing test for client validation, if

the human client cannot decipher the Turing test properly, he
or she may be declined for further communication. Kill-bots
discriminate the human client and intrusion agent additionally
by how many failed attempts they have made.
Proposed Solution for SMEs

Currently attackers are starting to more frequently utilize valid, or
likely, protocols and services as the medium for packet streams.
The ensuing attacks are difficult to protect against using standard
techniques, as the malicious requests are different from the valid
ones in intent but not in content.
Consequently a lot of approaches explained are not appropriate
to manage this kind of traffic. Filtering or rate-limiting founded on
inconsistent packets are not viable at all. In reality, filtering or
rate-limiting an attack that is using a valid and expected type of
traffic may in fact complete the attacker’s task by causing valid
services to be unused.
At present, the most viable way to handle this sort of condition is
utilizing the Turing test mechanism as in Kill-bots. The first effort to
generate text-based CAPTCHA was prepared by Godfrey (2002).
The graphical CAPTCHAs are mainly extensively utilized today. It
comprises a picture with some despoiled or distorted image, which
will take up a lot of precious bandwidth particularly in the case of
the attack. In the case of DDoS attack, transferring those images
from the server to the client for authentication in fact consumes
reasonably significant bandwidth.
One probable low-bandwidth Turing test is utilizing text-based
question response, in view of the fact that computational linguistics
is one of the most famous research disciplines in artificial intelli-
gence, and at the same time, the Turing test in text format as a rule
consumes much less bandwidth. Although humans find it effortless
to comprehend the natural languages, computers do not. The sub-
sequent troubles make it quite complicated for natural language
processing (Natural Language Processing, n.d.).
1. Verbal communication segmentation. In the majority of
spoken languages, the sounds representing succeeding letters
merge into each other, so the translation of the analog signal to
discrete characters can be a extraordinarily difficult process.
Moreover, in natural speech there is hardly any hiatus
between successive words; the location of those boundaries
frequently must take into account grammatical and semantical
constraints, as well as the context ambiguity
2. Text segmentation. Several written verbal communications,
like Chinese and Thai, do not have signal word boundaries, so
any important text parsing generally necessitates the detec-
tion of word boundaries, which is frequently a non-trivial task.
3. Word sense disambiguation. Several words have more than
one meaning; we have to decide on the meaning that makes the
most logic in context.
4. Syntactic ambiguity. The grammar for natural languages is
vague, meaning there are frequently multiple probable parse
trees for a specified sentence. Selecting the most suitable one

generally necessitates semantic and contextual information.

Detailed problem mechanism of syntactic ambiguity comprises
sentence boundary disambiguation.
5. Faulty or irregular input. Foreign or native pronunciations
and vocal barriers in verbal communication; keying in data or
grammatical errors, OCR (optical character recognition)
errors in texts.
6. Verbal communication actions and plans. Sentences
frequently do not imply what they factually say; for example,
a good reply to ‘‘Can you pass the salt?’’ is to pass the salt in the
majority of circumstances. ‘‘Yes’’ is not a fine reply, while
‘‘No’’ is superior and ‘‘I’m afraid that I can’t see it’’ is superior
yet. These complexities are what researchers can utilize to
produce an effective text-based Turing test.
COMBATING SPYWARE
Currently SMEs are combating the spyware plague in three areas:

desktop removal, user education, and legislation.
Desktop removal mainly comprises pieces of software installed
on the employee’s machine that when initiated will scan the
machine. The software detects signatures that are identical to a
database of known spyware. The software then continues to delete
the malicious code. Several softwares will take the solution a step
further and immunize the machine in an endeavor to not become
infected with that spyware in the future. Some of the frequently
utilized desktop antispyware removal tools are:
Microsoft Windows AntiSpyware
SpyBot S&D (freeware)
Ad-aware (free version available)
Geek Superhero
X-Cleaner (freeware)
Spy Sweeper
PestPatrol
HiJack This (not a removal tool; excellent forensic tool)
StartUpList (detects programs running at Start-Up)
Spy Subtract
SpyRemover
Keylogger Killer
Who’s Watching Me
Personal AntiSpy
Keylogger Hunter (freeware)
KL Detector (freeware)
Spy Detect
BHODemon (scans for Browser Helper Objects that run when
your browser is started)
a2 Software
Yahoo Anti-Spy Toolbar
The second approach, which is becoming more and more wide-
spread in SMEs today, is basically to educate the end user. As we
will find out later the spyware manufacturers are escaping prose-
cution merely because the end-user is allowing and approving the
installation of the spyware. A great deal of the spyware prevalent

today will display dialog boxes showing the installation of the

spyware.
Nevertheless, the spyware manufacturers are very quick in
leading the naive end user to installing the undesirable software.
Many SMEs are beginning to train their employees to caution them
of the hazard and how to evade the deceptions of spyware.
Following are some websites suggested by InternetJournal.com
that may help SME employees become more educated on spyware
(Inside Spyware, n.d.):
http://www.spywareguide.com/
http://www.kephyr.com/spywarescanner/library/index.phtml
http://www3.ca.com/securityadvisor/pest/search.aspx
http://spybot.eon.net.au/en/index.html
http://cexx.org/adware.htm
Legislation is another manner in which the SMEs of the world are
trying to wage war on the spyware epidemic. Regardless of the good
intents of our lawmakers, spyware is the winner. In reference to
this topic, the ABA Journal cites ‘‘‘The state of the law is absolute
confusion,’ says Sharon Nelson, an attorney of Sensei Enterprises,

a computer forensics firm in Fairfax, Va. ‘I recognize that here in
Virginia, lawyers are very anxious’’’ (Krause, 2005).
Before we probe too deeply into the deficiencies, a few pieces of
legislation to date are stated. Utah was the first state in the country
to pass an anti-spyware law on March 23, 2004. The law forbids
any party from installation or to cause the installation of spyware
on a computer and also contains prohibitions on the use of context-
based pop-ups that obscure essential content.
The two-page definition centers on supervising computer usage;
presenting advertisements, which are not visibly branded; the use
of content-based triggering methods or third-party trademarks;
and the adequacy of the notice and approval of the application
through a license agreement. The sponsor of the bill, State Rep.
Stephen H. Urquhart, safeguarded the necessity to defend custo-
mers from unfair business practices (Urbach & Kibel, 2004).
Under the Internet Spyware (I-SPY) Prevention Act of 2004,
employees found at fault of using spyware to steal private informa-
tion with the rationale of misusing it or to compromise a computer’s
defenses could face up to two years behind bars. Those utilizing
spyware to commit other federal crimes face up to five years in
jail, on top of their original sentences (Gordan, 2005).
ISC2 Journal and the Intellectual Property & Technology Journal
bring to light many other bills or laws that have been sustained
at the state and federal level. The FTC has also been a major
component of legislation to implement and defend the public from
spyware. Regardless of the desktop removal tools, education, and
legislation spyware is still on the heavy side when laid in the
balance scales.
If we observe our current state of affairs in combating spyware,
certain weaknesses come to the surface. The Journal of Information
Systems Management goes so far as to quote: ‘‘To date, no anti-
spyware utility can present an impenetrable defense’’ (Spiror,
Ward, & Roselli, 2005).
The desktop removal tools are reactive to the trouble somewhat
more than proactive. By now, we have felt the influence of spyware

on our level of production. It would be much more important to SMEs

to purely block spyware before it has ever infected our machines.
Our education hard work happens to be in vain when employees are
non-compliant with corporate policy and continue to download file-
sharing programs like Kaaza, screensavers, comet cursor, and an
whole host of other freeware/spyware. Many employees are under
the notion that the SME is blocking the spyware with a firewall. The
employees are ignorant about the restrictions of the firewall and
their current level of access to combat the spyware issue.
Presently firewalls operate at transport and network layers of
the OSI model, whereas sypware is getting thorough our borders at
the application layer. As far as legislation is concerned, from doz-
ens of cases, spyware manufacturers have been given little more
than a slap on the wrist.
Because spyware is generating money, one can expect a growing
frustration of its presence, as well as adware being a focus for all
the brightest hacker talent. We contemplate this to be a much bigger
epidemic than viruses from the basic fact that viruses paid hackers
nothing, whereas adware companies will pay big dollars for brilli-
ant minds. The market is expected to grow in the number of spy-

ware software we encounter, as well as in the products trying to
mitigate the spyware software.
Now we are left with the question, where is spyware alleviation
heading? ‘‘In a recent Information Security survey, 87.5% of partici-
pants said that controlling spyware was their top priority for
2005’’ (Skoudis, 2005).
The Journal of Information Systems thinks ‘‘By the ending of 2005,
firewall, anti-virus protection, and behavior-based protection will
be accessible in one integrated software package’’ (Spiror et al.,
2005). Three dissimilar areas are defense-in-depth, gateway-level
solutions, and behavior-based or behavioral heuristics.
Defense-in-depth is by now beginning to happen with SMEs utiliz-
ing multiple desktop removal tools, policy changes within the brow-
ser settings (such as locking down active Web content), installing
Microsoft XP Service Pack 2 (blocks pop-ups—stricter web restric-
tions), and installing personal firewall software on PCs (prohibits
outbound communication to spyware).
All of these techniques are assisting in controlling spyware;
however, they are an administrative nightmare to update.
Gateway-level solutions are starting to work at the enterprise
level. Hardware products focus on all traffic passing into the net-
work. These products will utilize multiple techniques from signa-
ture matching to behavioral heuristics. Several methods that are
being deployed at the enterprise level are being centrally adminis-
tered rather than administering at the desktop level. DNS black
holes direct users to internal Web pages when attempting to visit
commonly known spyware sites. The use of operating dual Web-
browsers, namely IE for intranet and Firefox for general surfing of
the Web. Firefox is not as prone to attack as the IE browser, and is
recommended. SMEs are suggested at the use of start-up scripts to
check what gets loaded on the boot-up of your desktops.
SMEs are suggested using an outbound Web proxy to check for
suspicious traffic (Skoudis, 2005). All of these methods make for
great tools to mitigate spyware and to implement security-in-depth
solutions.

The next approach of spyware alleviation is behavioral heur-

istics. Behavioral heuristics adopts a distinctive approach in the
fact that constant updates are not necessary. The products we
will describe in the subsequent section will comprise many of the
methods above utilized in a gateway-level product, but only a few
will take benefit from behavioral heuristics. Behavioral heuris-
tics is most properly elucidated by a Sana Security white paper:
‘‘Avoiding Malicious Spyware at the Enterprise Level.’’ Looking
at the running distinctiveness of a piece of spyware viz.: key-
logging, also utilized by valid software such as IMs, running in
background, containing no entries in the Add Remove programs
within the control panel, and no signature from a trustworthy
entity.
Upon appraising all of these criterions, it is rational to consider if
a program meets all of these features, then it is spyware
(Preventing Malicious Spyware in the Enterprise, 2005). Other
features can be recognized in the settings as well, but this gives us
the common idea of behavioral heuristics. Mainly by tweaking the
features time and again, we can begin to become practical in com-
bating spyware. Behavioral heuristics is the most distinctive

technique.
What products are available at this next level? In referring to the
next level, SMEs are suggested gateway solutions signature based
as well as heuristics based.
The following products or companies are instances of spyware
alleviation to be implemented by SMEs:
Webroot SpySweeper Enterprise

Wide-ranging, corporate-wide detection and removal of spyware
and adware
Automated operation of spyware definitions and software
updates
Choices to plan group-based and company-wide spyware sweeps
Capability to create and implement customized protection policies
Modifiable, thorough information and summaries on malicious
threats
Sophisticated support for remote and laptop users while outside
the corporate network
Webroot does not make available behavioral heuristics, but the
software does help relieve the administrative trouble of updating
all machines.
Blue Coat ProxySG

Gateway-level signature scanning
Web proxy URL filtering
Permit/deny statements
Jams spyware communication starting off from inside network;
detects existing infections
Blue coat does not use behavioral heuristics nor does the product
clean thoroughly the machines presently loaded with the software.

The product does provide for a semi-centrally administered system

and examines traffic at the gateway.
R3000 Enterprise Filter and Reporter

URL filtering
Observes outgoing and incoming network traffic for known spy-
ware communications
Upon recognition sends block page to initiating computer and a
TCP reset to the website to cancel request
Utilizes same process from entering the network
8e6, maker of stand-alone external internet content filtering appli-

ances, makes available a gateway-level solution, yet it does not
offer spyware removal nor does it employ behavioral heuristics
(Forsite Group, 2005).
Tipping Point IPS

Jamming installation on new or freshly installed systems
Blocking pop-up windows and traffic transfers on infected
systems
Constantly updating spyware treatment through Digital Vaccine
release
Tipping Point makes available gateway-level solution but with no
anti-spyware removal tool. Updates occur on a weekly basis, which
is good, but they as yet do not provide any type of behavioral
heuristic approach. The software does block network traffic from
inside to outside spyware servers (Sequeira, n.d.).
Esafe Gateway
Spyware download blocking
Spyware ID and signature blocking. This layer utilizes a blend
of conventional virus-style signature database with smart, heur-
istic technologies made available by the Proactive Security Engine.
Spyware communications blocking (The Spyware Epidemic, 2004).
ESafe utilizes a blend of the signature blocking as well as the heur-

istic approach, which in fact gives the device the next level of sup-
port. The behavioral heuristics make available a level of protection
in between updates. The product does not delete the present
spyware but it does provide for automatic updates.
Primary Response by Sana Security

Deep packet check behavioral heuristics
Signature blocking for straightforward cases
Primary response depends greatly on the features and behavioral

heuristics approach. No spyware removal tool available.

AVERTING PHISHING
Phishing may be difficult to detect because phishers may imitate a
SME site for example, which appears very convincing to the users,
and they may persuade them to carry transactions with them.
Commercial outfits including SMEs engaged in E-Commerce in
collaboration with government institutions have developed phish-
ing awareness websites including Anti-Phishing Working Group,iv
Better Business Bureau,v and Microsoft’s Consumer Awareness
Page on Phishing.vi
However, for SMEs the best way to guard against phishing
threats is to avoid providing private information to a phony
e-mail request. If a user considers the request might be valid, he
or she should call the SME’s customer service department to verify
this before providing any information.
SMEs entering the global marketplace must understand that
phishing is not directly an exploitation of susceptibility in the Web
browser. Nevertheless, it is a browser-based attack and is simply
one of the fastest growing mechanisms of attack on the WWW.
A ‘‘phishiness’’ score for the Web page can be calculated by making

use of Bayesian analysis. This is pertinent for the reason that
phishing pages have distinctive aspects and forms. They typically
ask for user input of very confidential information (credit card
number, name, permanent/correspondence address, etc.).
Because of the large number of false positives this might incur,
only a caution is presented to the user who can close and ignore it
if he or she is sure it is not a phishing page.
CONCLUSION
In E-Commerce, cybersecurity threats are increasing; and they are
not likely to vanish in the times to come. All users shopping or
carrying out E-Commerce transactions on the Internet must be
mindful of the potential downside of going online and exchanging
electronic information (Close et al., 2006). There is an upside in
E-Commerce; that is, the world consumer market is easy to reach
but there is a downside that along with the legitimate consumers all
kinds of malicious users may be trying to knock on the door (Ghosh,
1998). With the Internet permeating every aspect of society and
the economy, consumers are also becoming increasingly aware of
using this technology (Smith, 2004). E-Commerce firms along with
other governmental organizations such as consumer protection
forums have made a concerted beginning to participate in stronger
defenses and controls for better security. They need to synchronize
co-operation within themselves, which has a major role to play for
better security. Companies need to strengthen their knowledge
bases and skill sets of their employees as well as their degree of
compliance so that security can be tightened. SMEs that engage in
E-Commerce must do everything possible to protect consumers’
personal and financial information in B2C transactions as well as
proprietary information of business partners in B2B applications
(Smith & Lias, 2007). In order to defeat the malicious intent of the
crackers and ‘‘cybercrooks’’ an important feature that needs due
attention is cybersecurity in E-Commerce so that their attempts can
be foiled. Nowadays the information systems are under a threat

from a wide variety of security risks and with the development in

E-Commerce consumer and business evaluation of these risks
becomes all the more important (Warren & Hutchison, 2003). The
security priorities that will serve to thwart the attempts of the
intruders and deter crackers must be identified and a disaster
plan should be created for minimizing damage by recovering from
attacks that do occur. Some questions regarding the potential risks,
their impact of exposure on the organization and how to control
each of them, need to be addressed. A regular analysis of security
information and procedures from other sources can also assist an
organization in formulating an effective security plan. Keeping in
view the dynamic nature of computer environments computer
security plans must be evaluated time and again and enhanced to
effectively combat existing and emerging threats and vulnerabil-
ities. Security threats are growing both in scope and sophistication
and forward-thinking SMEs of all types and sizes will continue to
strengthen their defenses against these threats.
Notes
i. The website http://www.attrition.org/mirror/attrition/ also
keeps a mirror of the defaced websites.
ii. Different types of software security holes in various
programs with the description of the flaws are available at
http://www.scary.beasts.org/security/.
iii. cf. http://www.keyghost.com/sx/.
iv. cf. http://www.antiphishing.org/.
v. cf. http://www.bbbonline.org/idtheft/phishing_cond.asp.
vi. cf. http://www.microsoft.com/athome/security/email/phishing.
mspx.
References
Alsaid, A., & Mitchell, J. C. (2005). Dynamic content attacks on
digital signatures. Information Management and Computer
Security, 13(4), 328–329.
Anderson, R. H., Bozek, T., Longstaff, T., Meitzler, W., Skroch, M., &
Wyk, V. K. (2000). Research on mitigating the insider threat
to information systems—#2. Retrieved July 20, 2007 from http://
www.rand.org/pubs/conf_proceedings/CF163/CF163.pdf.
Anti Phishing Working Group (2008). Phishing activity trends report
Q1/2008. Retrieved September 3, 2008 from http://www.anti
phishing.org/reports/apwg_report_Q1_2008.pdf.
Armstrong, L. H., & Forde, J. P. (2003). Internet anonymity prac-
tices in computer crime. Information Management & Computer
Security, 11(5), 209.
Ashrafi, N., & Kuilboer, P. J. (2001). Managing network security. In
M. Khosrow-Pour (Ed.), Managing information technology in a global
economy (pp. 122–124). Hershey, PA: Information Science
Publishing.
Bass, T., Freyre, A., Gruber, D., & Watt, G. (1998). E-mail bombs
and countermeasures: Cyber attacks on availability and brand
integrity. Retrieved June 18, 2007 from http://www.silkroad.
com/papers/pdf/ieee-network-email-bombs.pdf.

Becker, A. S., & Berkemeyer, A. (2006). Managing security vulner-

abilities in a business-to-business electronic commerce organiza-
tion. In M. Khosrow-Pour (Ed.), Advanced topics in electronic
commerce, vol. 1 ( pp. 51–70). Hershey, PA: Information Science
Publishing.
Bidgoli, H. (2006). Handbook of Information Security. New York:
Wiley.
Bishop, M. (2005). Panel: The insider problem revisited. Retrieved
July14, 2007 from http://nob.cs.ucdavis.edu/bishop/papers/
2005-nspw-1/insiderrev.pdf.
Bolz, C., Romney, W., & Rogers, B. L. (2004). Safely train security
engineers regarding the dangers presented by denial of service
attacks. In Proceedings of the 5th conference on Information tech-
nology education CITC5, (pp. 66–72). Boston: ACM Press..
Brustoloni, C. J. (2002). Protecting electronic commerce from
distributed denial-of-service attacks. Retrieved May 27, 2007
from http://www2002.org/CDROM/refereed/528/.
Brykczynski, B., & Small, R. A. (2003). Reducing internet-based
intrusions: Effective security patch management. IEEE Software,
20(1), 50–57.
Caelli, J. W. (1994). Security in open and distributed systems.
Information Management and Computer Security, 2(1),17–18.
CERT (1991). CERT advisory CA-1991-19 AIX TFTP daemon vul-
nerability. Retrieved May15, 2007 from http://131.111.8.10/
pub/webmirrors/www.cert.org/advisories/CA-1991-19.html.
CERT, CSO, & ECTF. (2007). Over confidence is pervasive
among security professionals. Retrieved May19, 2008 from
http://www.sei.cmu.edu/about/press/releases/2007ecrime.html.
Chang, R. K. (2002). Defending against flooding-based distributed
denial-of-service attacks: A tutorial. IEEE Commununications
Magazine, 40(10), 42–51.
Chen, M. T., & Davis, C. (2006). An overview of electronic attacks.
In P. Kanellis, E. Kiountouzis, and D. Martakos (Eds.), Digital
crime and forensic science in cyberspace (pp. 1–17). Hershey, PA:
Information Science Publishing.
Chinchani, R., Iyer, A., Ngo, H. Q., & Upadhyaya, S. (2005).
Towards a theory of insider threat assessment. In Proceedings
of international conference on dependable systems and networks,
(pp. 67–78). Boston: ACM Press.
CircleID Reporter (2008). U.S. slammed as major host for cybercrime.
Retrieved September 5, 2008 from: http://www.circleid.com/
posts/us_slammed_major_host_cybercrime/.
Cisco (2007). Defining strategies to protect against TCP SYN
denial of service attacks. Retrieved August 14, 2007 from
http://cio.cisco.com/warp/public/707/4.html.
Clarke, R. (1999). Internet privacy confirms the case for interven-
tion. Communications of the ACM, 42(2), 56–62.
Close, A. G., Zinkhan, G. M., & Finney, R. Z. (2004). Cyber-identity
theft: A conceptual model and implications for public policy.
Retrieved December 26, 2007 from http://faculty.unlv.edu/
angeline/Close%5B1%5D%5B1%5D.Zinkhan.CyberIDTheft.pdf.
Close, A. G., Zinkhan, G. M., & Finney, R. Z. (2006). Cyber-identity
theft. In M. Khosrow-Pour (Ed.), Encyclopedia of e-commerce,
e-government, and mobile commerce (pp. 168–171). Hershey,
PA: Information Science Publishing.

Colarik, A. (2006). Cyber Terrorism: Political and Economic Implications.

Hershey, PA: Information Science Publishing.
Criscuolo, J. P. (2000). Distributed denial of service Trin00, tribe
flood network, tribe flood network 2000, and Stacheldraht.
Retrieved May 25, 2007 from http://www.ciac.org/ciac/docu-
ments/CIAC-2319_Distributed_Denial_of_Service.pdf.
Cyber Source (2007). Fraudsters will bag $3.6 billion from U.S.
eCommerce in 2007. Retrieved September 4, 2008 from http://
www.lightbridge.com/news_and_events/view.xml?page_id=1649.
De Argaez, E. (2004). How to prevent the online invasion of
spyware and adware. Retrieved June 27, 2007 from http://
www.internetworldstats.com/articles/art053.htm.
Deloitte (2006). 2006 global security survey. Retrieved April
24, 2007 from http://www.deloitte.com/dtt/cda/doc/content/
dtt_fsi_2006%20Global%20Security%20Survey_2006-06-13.pdf.
Doherty, F. N., & Fulford, H. (2005). Information security policies
in large organisations: The development of a conceptual frame-
work to explore their impact. In M. Quigley (Ed.), Information
security and ethics: Social and organizational issues
(pp. 238–244). Hershey, PA: Information Science Publishing.

Erickson, K., & Howard, N. P. (2007). A case of mistaken
identity? News accounts of hacker, consumer, and organizational
responsibility for compromised digital records. Journal of
Computer-Mediated Communication, 12(4). Retrieved September
14, 2008 from http://jcmc.indiana.edu/vol12/issue4/erickson.
html.
Ernest & Young (2007). Global information security survey 2007.
Retrieved September 4, 2008 from http://www.ey.com/Global/
assets.nsf/International/EY_TSRS_GISS2007/$file/EY_TSRS_
GISS2007.pdf.
Federal Reserve Bank. (2004). New York: Payments Report.
Federal Trade Commission. (2004). Spyware poses risk to consu-
mers—FTC. Retrieved June16, 2007 from http://www.ftc.gov/
opa/2004/04/spywaretest.shtm.
Ferguson, P., & Senie, D. (May 2000). Network ingress filtering:
Defeating denial of service attacks which employ IP source
address spoofing, RFC 2827. Retrieved May 10, 2008 from
http://www.faqs.org/rfcs/rfc2827.html.
Floyd, S., Bellovin, S., Ioannidis, J., Kompella, K., Mahajan, R.,
& Paxson, V. (July 2001). Pushback messages for controlling
aggregates in the network. Retrieved May 8, 2008
from http://bgp.potaroo.net/ietf/idref/draft-floyd-pushback-
messages/.
Furnell, S. (2004). E-commerce security: A question of trust.
Computer Fraud and Security. 2004 (10), 10–14.
Furnell, S. (2006). E-commerce security. In M. Warkentin (Ed.),
Enterprise information systems assurance and systems
security (pp. 131–147). Hershey, PA: Information Science
Publishing.
Furnell, S., & Ward, J. (2006). Malware: An evolving threat. In
P. Kanellis, E. Kiountouzis, & D. Martakos (Eds.), Digital crime
and forensic science in cyberspace (pp. 27–29). Hershey, PA:
Furnell, M. S., & Warren, J. M. (1997). Computer abuse: Vandalizing
the information society. Internet Research, 7(1), 61–65.

Forsite Group (2005). Neutralizing the spyware threat. Retrieved

July 8, 2008 from http://8e6.com/newsletter/8e6/docs/
wtp_r3000_neutralizing_spyware.pdf.
Gartner Group Inc. (2007). Gartner survey shows phishing attacks
escalated in 2007; More than $3 billion lost to these attacks.
Retrieved September 4, 2008 from http://www.gartner.com/it/
page.jsp?id=565125.
Ghosh, A. K. (1998). E-Commerce Security: Weak Links, Best
Defenses. New York: John Wiley and Sons, Inc.
Godfrey, P. B. (2002). Text-based captcha algorithms. Retrieved
July 2, 2008 from http://www.aladdin.cs.cmu.edu/hips/
events/abs/godfreyb_abstract.pdf.
Gordan, S. (2005). Fighting spyware and adware in the enterprise.
Information Systems Security ISC2 Journal, 14. Retrieved July 7,
2008 from http://findarticles.com/p/articles/mi_hb5868/
is_200507/ai_n23808478/.
Harwood, M. (2008). Outside threats more likely, insider threats
more costly, says study. Retrieved September 5, 2008 from http://
www.securitymanagement.com/news/outside-threats-more-likely-
insider-threats-more-costly-says-study.
Hong, S. K., Chi, P. Y., Chao, R. L., & Tang, H. J. (2003).
An integrated system theory of information security
management. Information Management & Computer Security,
11(5), 243–247.
Hubbard, C. J., & Forcht, A. K. (1998). Computer viruses: How
companies can protect their systems. Industrial Management &
Data Systems, 98(1), 12–16.
Inside spyware: A guide to finding, removing, and preventing
online pests. (n.d.). Retrieved July 7, 2008 from http://
www.intranetjournal.com/spyware/index.html.
Ioannidis, J., & Bellovin, S. M. (n.d.). Implementing pushback: Router-
based defense against DDoS attacks. Retrieved May 16, 2008 from
http://www.cs.columbia.edu/,smb/papers/pushback-impl.pdf.
Ivens, K. (2000). Password problems. Retrieved September
16, 2007 from http://www.microsoft.com/technet/archive/
winntas/maintain/security/password.mspx?mfr=true.
Jennex, E., Walters, M. A., & Addo, A. B. T. (2004). SMEs and
knowledge requirements for operating hacker and security
tools. In M. Khosrow-Pour (Ed.), Innovations through information
technology (pp. 276–279). Hershey, PA: Information Science
Publishing.
Johnson, M. B., Croall, J. T., & Thomas, R. (2003). Netbouncer:
Client-legitimacy-based high performance DDoS filtering. In
Proceedings of DISCEX III, vol. 1, 14–25.
Kalakota, R., & Whinston, A. B. (1999). Frontiers of E-Commerce.
Singapore: Addison Wesley Longman Inc.
Kaplan, D. (2008). MTV breach impacts 5,000 employees,
successful social-engineering blamed. Retrieved September 16,
2008 http://www.securecomputing.net.au/News/105492,mtv-
breach-impacts-5000-employees-successful-socialengineering-
blamed.aspx.
Kirk, J. (2007). Elaborate ‘pharming’ attack targeted 50 banks.
Retrieved September 4, 2008 from http://www.computerworld.
com/action/article.do?command=viewArticleBasic&articleId =
9011653.

Krause, J. (2005). Beware of spyware. ABA Journal, 91, 59–60.

Laudon, K., & Traver, C. (2001). E-Commerce. Singapore: Addison
Wesley Longman Inc.
Lawton, G. (2002). Virus wars: Fewer attacks, new threats. IEEE
Computer, 35(12), 22–24.
Lee, J., & Lee, Y. (2002). A holistic model of computer abuse within
SMEs. Information Management & Computer Security, 10(2), 57–58.
Lo, J. (2003). Denial of service or ‘nuke’ attacks. Retrieved May
19, 2007 from http://www.irchelp.org/irchelp/nuke/.
Magklaras, B. G., Furnell, M. S., & Brooke, J. P. (2006). Towards
an insider threat prediction specification language. Information
Management & Computer Security, 14(4), 361–362.
Martin, R. A. (2001). Managing vulnerabilities in networked sys-
tems. IEEE Computer, 34(11), 32–38.
McAfee (2006). Phishing and pharming—Understanding phishing
and pharming. Retrieved June 17, 2007 from http://www.mcafee.
com/us/local_content/white_papers/wp_phishing_pharming.pdf.
McClain, C. (2006). Can identity theft defense be practically effec-
tive? A TAM-derived survey of software-based deterrence to phish-
ing and pharming. In M. Khosrow-Pour (Ed.), Emerging trends

and challenges in information technology management (vol. 1,
pp. 452–455). Hershey, PA: Information Science Publishing.
Merkow, M. S., & Breithaupt, J. (2000). The Complete Guide to
Internet Security. New York: AMACOM Books.
Mirkovic, J., Robinson, M., Reiher, P., & Kuenning, G. (2003).
Alliance formation for DDoS defense. Retrieved 18 July 2009
from http://www.lasr.ca.ucla.edu/defcom/defcom-nspw.pdf.
Moore, D., Voelker, G. M., & Savage, S. (2001). Inferring internet
denial-of-service activity. In Proceedings of the 10th USENIX
Security Symposium, Washington, DC, pp. 234–236.
Morris, R., & Thomson, K. (1979). Password security: A case
history. Communications of the ACM, 22(11), 594–597.
Natural language processing (n.d.). Retrieved May 2, 2008 from
http://en.wikipedia.org/wiki/Natural language processing.
Newman, R. G., & McNally, M. M. (2005). Identity theft literature
review. Retrieved September 4, 2008 from http://
www.ncjrs.gov/pdffiles1/nij/grants/210459.pdf.
Northcutt, S., & Novak, J. (2002). Network intrusion detection
(3rd ed.). Indianapolis: New Riders Publishing.
OpenCongress (2007). Identity theft enforcement and restitu-
tion act of 2007. Retrieved September 5, 2008 from http://
www.opencongress.org/bill/110-s2168/show.
Papadimitratos, P., & Haas, Z. J. (2002). Securing the internet rout-
ing infrastructure. IEEE Communication Magazine, 40(10), 60–68.
Parameswaran, M., Zhao, X., Whinston, A. B., & Fang, F. (2007).
Reengineering the internet for better security. IEEE Computer,
40(1), 40–44.
Phishing Dangers (2005). Phishing scams—Protect your identity.
Retrieved June 30, 2007 from http://www.phishingdangers.
com/2004/10/federal_trade_c.html.
Preventing malicious spyware in the enterprise. (2005). Sana
Security. Retrieved July 8, 2008 from http://searchsecurity.
bitpipe.com/detail/RES/1116356740_838.html.
Pulkkis, G., Grahan, J. K., & Astrom, P. (2003). Network security
software. In R. Azari (Ed.), Current security management & ethical

issues of information technology. Hershey, PA: IRM Press.

pp. 1–41.
Rao, G. S. V. R. (2004). Threats and security of Web services—A
theoretical short study. In Proceedings of IEEE international
symposium communications and information technology, (vol. 2,
pp. 783–786).
Ratnasingam, P. (2002). The importance of trust in web services
security. Information Management & Computer Security, 10(5),
255–260.
Raymond, E. (2001). What is a hacker? Retrieved July 23, 2007
from http://www.catb.org/,esr/faqs/hacker-howto.html.
Reimer, J. (2007). Mystery eBay ‘hack’ exposes 1,200 accounts,
possibly more. Retrieved September 5, 2008 from http://
arstechnica.com/news.ars/post/20070926-mystery-ebay-hack-
exposes-1200-accounts-possibly-more.html.
Reuvid, J. (2003). The Secure Online Business: E-commerce, IT
Functionality & Business Continuity. London: Kogan Page.
Robinson, C. (2003). Patch deployment best practices in the
enterprise. CSO Analyst Reports. Retrieved June14, 2007 from
http://www.csoonline.com/analyst/report1837.html.
Rolf, O. (2002). Security Technologies for the World Wide Web.
Boston, MA: Artech House.
Savage, S., Wetherall, D., Karlin, A. R., & Anderson, T. (2000).
Practical network support for IP traceback. SIGCOMM,
56:295–306.
Schuba, C. L., Krsul, I. V., Kuhn, M. G., Spafford, E. H., Sundaram,
A., & Zamboni, D. (1997). Analysis of a denial of service attack on
TCP. In Proceedings of the IEEE Symposium on Security and Privacy,
Oakland, CA (pp. 208–223). Retrieved May 7, 2008 from https://
www.cerias.purdue.edu/techreportsssl/public/97-06.ps.
Scott, D., & Sharp, R. (2002). Developing secure web applications.
Retrieved April 12, 2007 from http://www.recoil.org/,djs/
developingsecure.pdf.
SecuriTeam (1999). Kiss of death—A new Denial of Service
attack. Retrieved 12 July 2009 from http://www.securiteam.
com/windowsntfocus/2MUPQRFRPK.html.
Sequeira, S. (n.d.). Understanding and preventing spyware in
the enterprise. Retrieved July 7, 2008 from http://www.
tippingpoint.com/resources_whitepapers.html.
Shannon,V., & Moore, D. (2004). The spread of the Witty
worm. CAIDA, Tech. Rep. Retrieved 7 July 2008 from http://
www.caide.org/research/security/witty
Shimonski, R. (2002). Introduction to password cracking. Retrieved
April 30, 2007 from http://www-106.ibm.com/developerworks/
library/s-crack/.
Skoudis, E. (2005). Mission impossible: Techknowledge. Information
security. Retrieved July 8, 2008 from http://informationsecurity.
techtarget.com/magItem/1,291266,sid42_gci1101272,00.html.
Smith, D. A. (2004). Cybercriminal impacts on online
business and consumer confidence. Online Information Review,
28(3), 224.
Smith, D. A., & Rupp, T. W. (2002). Issues in cybersecurity:
Understanding the potential risks associated with hackers/
crackers. Information Management & Computer Security, 10(4),
178–181.

Smith, D. A. & Lias, A. R. (2007). Identity Theft and E-Fraud as

Critical CRM Concerns. In H. Nemati (Ed.) Information Security
and Ethics: Concepts, Methodologies, Tools, and Applications,
pp. 48–49.
Spiror, J. C., Ward, B. T., & Roselli, G. R. (2005). The ethical and
legal concerns of spyware. Journal of Information Systems
Management, 22(2), 39–50.
Stein, L. (2002). The World Wide Web security FAQ. Retrieved
April 26, 2007 from http://www.w3.org/Security/Faq/.
Steinnon, R. (2007). What’s driving cyber crime? Retrieved April
18, 2007 from http://www.esecurityplanet.com/article.php/
11162_3664861_2.
Sterne, D. K., Djahandari, B., Wilson, B., Babson, D., Schnackenberg,
H. Holliday and T. Reid, Autonomic response to distributed
Denial of Service attacks, in: Proceedings of Recent Advances
in Intrusion Detection, 4th International Symposium, Davis, CA,
2001, pp. 134–149.
Symantec (2007a). Spyware.SKIn. Retrieved September 5,
2008 from http://www.symantec.com/security_response/
writeup.jsp?docid=2004-070618-1513-99&tabid=2.
Symantec (2007b). W32.Bacteria. Retrieved September 5,
Symantec (2007c). Spyware.KeyKey. Retrieved September 5,
The spyware epidemic: Dealing with ‘‘legal’’ malicious code. (2004).
Retrieved July 8, 2005 from http://wp.bitpipe.com/resource/
org_975958765_149/WP_Aladdin_Security_pdf_May2005.pdf.
Thompson, J. F. (2002, November–December). Identity, privacy,
and information technology. EDUCAUSE Review (pp. 64–65).
Retrieved May 21, 2007 from http://www.educause.edu/ir/
library/pdf/erm0267.pdf.
Thornburgh, T. (2004). Social engineering: The ‘‘dark art.’’ In
Proceedings of the 1st annual conference on information security curri-
culum development InfoSecCD, (pp. 133–135). Boston: ACM Press.
Thurston, R. (2008). Brute-force SSH attacks surge. Retrieved
September 5, 2008 from http://www.scmagazineuk.com/Brute-
force-SSH-attacks-surge/article/110195/.
Urbach, R. R., & Kibel, G. A. (2004). Adware/Spyware: An update
regarding pending litigation and legislation. Intellectual Property
& Technology Law Journal, 16(7), 12.
Viruslist (2007). Trojan-Downloader.Win32.Banload.dcd. Retrieved
September 4, 2008 from http://www.viruslist.com/en/viruses/
encyclopedia?virusid=177737.
Volonino, L., & Robinson, S. (2004). In Natalie E. Anderson (Ed.),
Principles and practice of information security, Hoboken, NJ:
Prentice Hall, pp. 63–171.
Warren, M., & Hutchison, W. (2001). Cyber terrorism and
the contemporary corporation. In G. Dhillon (Ed.), Information
security management—Global challenges in the new millennium
(pp. 60–66). Hershey, PA: Information Science Publishing.
Warren, M., & Hutchison, W. (2003). A security risk management
approach for E-Commerce. Information Management & Computer
Security, 11(5), 238–247.

Wen, J. H. (1998). Internet computer virus protection policy.

Information Management & Computer Security, 6(2), pp. 66–71.
Web Application Security Consortium (2007). The web hacking
incidents database. Retrieved May 24, 2007 from http://
www.webappsec.org/projects/whid/list_year_2007.shtml.
Web Application Security Consortium (2008). The web hacking
incidents database. Retrieved September 4, 2008 from http://
www.webappsec.org/projects/whid/byyear_year_2008.shtml.
Williams, M. (2002). EBay, Amazon, Buy.com hit by attacks.
Retrieved May 1, 2007 from http://www.networkworld.com/
news/2000/0209attack.html.
Wylupski, W., Champion, R. D., & Grant, Z. (2006). Incident pre-
paredness and response: Developing a security policy. In
P. Kanellis, E. Kiountouzis, & D. Martakos (Eds.), Digital crime
and forensic science in cyberspace (pp. 221–222). Hershey, PA:
Wong, T. T. (2006). Neural data mining system for trust-based
evaluation in smart SMEs. In I. Mezgar (Ed.), Integration of ICT
in smart SMEs (pp. 162–166). Hershey, PA: Information Science
Publishing.
Zone-h (2008). Yet another Microsoft defacement. Retrieved
September 4, 2008 from http://www.zone-h.org/content/view/
14980/1/.
Kunal Sharma has been teaching in the Department of Management Studies,

now rechristened as Institute of Management Studies as a faculty since 2001.
He is employed with DOEACC Society, Chandigarh, Ministry of IT, Govt. of
India as Sr. Systems Analyst. He has done his B.Tech (CSE) from NIT, Hamirpur
and he is a MBA(IT) from Institute of Management Studies. He is pursuing
thesis dissertation from the H.P. University. His areas of interest include E-
Commerce and E-learning.
Amarjeet Singh has been teaching in Department of Computer Science,
Himachal Pradesh University Shimla, India, since 1992. At present he is desig-
nated as Associate Professor. He has done Bachelor of Engineering in
Computer Science from NIT Bhopal (1991), M. Sc. in Distributed Information
Systems from University of East London (1996) and Ph. D. from Himachal
Pradesh University (2005). His areas of interest are E-Governance, Distributed
Information Systems, ICT for Development and impact of ICT on Society.
Ved Prakash Sharma is currently the Branch Manager of DOEACC Society,
Ministry of IT, Government of India. He is a MCA from H.P. University. He is
pursuing thesis dissertation from H.P. University. His areas of interest include
RDBMS and Networking.

EDPACS: The EDP Audit, Control, and Security Newsletter

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

EDPACS: The EDP Audit, Control, and Security Newsletter

Hochgeladen von

Copyright:

Verfügbare Formate

This article was downloaded by: [UQ Library]

On: 10 November 2014, At: 19:30

EDPACS: The EDP Audit, Control, and Security

SMEs and Cybersecurity Threats in E-Commerce

To link to this article: http://dx.doi.org/10.1080/07366980903132740

PLEASE SCROLL DOWN FOR ARTICLE

EDPACS CONTROL, AND SECURITY

MAY–JUNE 2009 VOL. XXXIX, NOS. 5–6

SMES AND CYBERSECURITY

E-Commerce transactions over the Web are anonymous as a result

proliferation of Information and Communication Technologies

being watched closely. Fraudsters swindled away $3.6 billion from

2 ª Copyright 2009 Taylor & Francis—All rights reserved.

reliable. It contains precarious situations, malicious crackers, and

network vulnerabilities have become manifold because of ubiqui-

ª Copyright 2009 Taylor & Francis—All rights reserved. 3

budget crunch and security is looked on more as an overhead cost

levels. Throughout much of the academic and practitioner litera-

TYPES OF SECURITY IN E-COMMERCE

4 ª Copyright 2009 Taylor & Francis—All rights reserved.

can necessitate a number of information protection and associated

users in network transactions. Its importance lies in the fact that

 Confidentiality: Confidentiality assures that the exchange of

ª Copyright 2009 Taylor & Francis—All rights reserved. 5

user attribute is compared against a table of permissions (such as

COMMON CLIENT/SERVER CYBERSECURITY THREATS

6 ª Copyright 2009 Taylor & Francis—All rights reserved.

significant threats facing Internet systems. A simple threat in cli-

A DDoS attack entails flooding one or more victim computers with

ª Copyright 2009 Taylor & Francis—All rights reserved. 7

bombs’’ on the SME’s employee systems. The crackers then initiate

can get rid of physical takeover attacks. Likewise, timely installa-

 Increase the size of the connection queue (SYN ACK queue).

8 ª Copyright 2009 Taylor & Francis—All rights reserved.

sounds simplistic, capturing usernames and passwords is a very

ª Copyright 2009 Taylor & Francis—All rights reserved. 9

Application Security Consortium, 2007). The website of the

CAUSES OF CLIENT–SERVER CYBERSECURITY THREATS

1. Physical Security Holes: These holes result when somebody

A more serious problem could emerge if the cracker could gain

10 ª Copyright 2009 Taylor & Francis—All rights reserved.

3. Inconsistent Usage Holes: A badly administered SME sys-

istrators of SMEs must address the following priorities,

1. Patches are not identified and installed in time to prevent

ª Copyright 2009 Taylor & Francis—All rights reserved. 11

Additionally, the role and importance of system administration in

COMMON CYBER IDENTITY THEFTS

identity theft are anyone who ‘‘. . . knowingly transfers or uses,

12 ª Copyright 2009 Taylor & Francis—All rights reserved.

There are a number of methods of obtaining credit card details of

attributed to the Internet user’s demographics, attitude, and on-

Figure 1 Comparative mean dollar misappropriated funds in 2006 and

ª Copyright 2009 Taylor & Francis—All rights reserved. 13

Table 1 Key Methods of Cyber Identity Theft

Method Definition Example

cyberscams is limited only by the considerable imagination of

14 ª Copyright 2009 Taylor & Francis—All rights reserved.

occur. Security risks are classified as inadvertent or deliberate.

& Brooke, 2006, p. 362). According to surveys, ‘‘insider threats’’

ª Copyright 2009 Taylor & Francis—All rights reserved. 15

have proposed the following recommendations for defense and

ing into computer systems by stealth and without permission and

16 ª Copyright 2009 Taylor & Francis—All rights reserved.

Confidentiality: Confidentiality assures that the exchange of

Increase the size of the connection queue (SYN ACK queue).

Trap door: A trap door is a secret entry point sidestepping usual

Implement two-factor authentication for access for systems and

Database security: Database security is assessed in terms of user